From d65ca1b010e4595fae83214a363543e9dd2509f7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mart=20S=C3=B5mermaa?= <mrts.pydev@gmail.com>
Date: Tue, 22 Dec 2020 00:40:54 +0200
Subject: [PATCH 001/116] Add license

---
 example/LICENSE | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 example/LICENSE

diff --git a/example/LICENSE b/example/LICENSE
new file mode 100644
index 0000000..0b8eeef
--- /dev/null
+++ b/example/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2020 The Web eID Project
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

From f02ef492e942fdcc60b795a1c16b0e7a8b80173f Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Tue, 22 Dec 2020 01:06:02 +0200
Subject: [PATCH 002/116] Initial commit

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 example/.gitattributes                        |  19 +
 example/.gitignore                            |  34 +
 .../.mvn/wrapper/MavenWrapperDownloader.java  | 121 +++
 example/.mvn/wrapper/maven-wrapper.jar        | Bin 0 -> 50710 bytes
 example/.mvn/wrapper/maven-wrapper.properties |   2 +
 example/.prettierrc.yaml                      |   7 +
 example/README.md                             | 106 +++
 example/docker-compose.yml                    |   7 +
 example/mvnw                                  | 310 +++++++
 example/mvnw.cmd                              | 182 ++++
 example/pom.xml                               | 143 ++++
 .../WebEidSpringbootExampleApplication.java   |  34 +
 .../config/ApplicationConfiguration.java      |  81 ++
 .../config/ValidationConfiguration.java       | 143 ++++
 .../org/webeid/example/config/YAMLConfig.java |  70 ++
 .../AuthTokenDTOAuthenticationProvider.java   |  94 +++
 .../WebEidAjaxLoginProcessingFilter.java      |  76 ++
 .../AjaxAuthenticationFailureHandler.java     |  55 ++
 .../AjaxAuthenticationSuccessHandler.java     |  86 ++
 .../example/security/dto/AuthTokenDTO.java    |  38 +
 .../example/service/SigningService.java       | 176 ++++
 .../example/service/dto/CertificateDTO.java   |  75 ++
 .../example/service/dto/ChallengeDTO.java     |  35 +
 .../webeid/example/service/dto/DigestDTO.java |  44 +
 .../webeid/example/service/dto/FileDTO.java   |  67 ++
 .../service/dto/SignatureAlgorithmDTO.java    |  61 ++
 .../example/service/dto/SignatureDTO.java     |  57 ++
 .../webeid/example/web/WelcomeController.java |  47 ++
 .../example/web/rest/ChallengeController.java |  49 ++
 .../example/web/rest/SigningController.java   |  75 ++
 .../src/main/resources/application.properties |   1 +
 example/src/main/resources/application.yaml   |  11 +
 .../main/resources/certs/ESTEID-SK_2015.cer   | Bin 0 -> 1652 bytes
 .../src/main/resources/certs/ESTEID2018.cer   | Bin 0 -> 1371 bytes
 .../certs/TEST_of_ESTEID-SK_2015.cer          | Bin 0 -> 1671 bytes
 .../resources/certs/TEST_of_ESTEID2018.cer    | Bin 0 -> 1408 bytes
 .../resources/certs/trusted_certificates.jks  | Bin 0 -> 1345 bytes
 .../src/main/resources/static/css/main.css    |  69 ++
 .../firefox-web-eid-extension-updates.json    |  12 +
 .../firefox/web-eid-webextension-0.9.1.xpi    | Bin 0 -> 78545 bytes
 .../firefox/web-eid-webextension-latest.xpi   | Bin 0 -> 78545 bytes
 .../resources/static/img/eu-fund-flags.svg    | 787 ++++++++++++++++++
 example/src/main/resources/static/index.html  | 150 ++++
 .../main/resources/static/js/error-message.js |  45 +
 .../main/resources/static/js/web-eid-0.9.0.js | 521 ++++++++++++
 .../src/main/resources/templates/welcome.html | 143 ++++
 .../AuthenticationRestControllerTest.java     |  57 ++
 .../webeid/example/WebApplicationTest.java    | 109 +++
 .../org/webeid/example/testutil/Dates.java    |  48 ++
 .../webeid/example/testutil/FakeNonce.java    |  36 +
 .../webeid/example/testutil/HttpHelper.java   | 101 +++
 .../webeid/example/testutil/ObjectMother.java | 141 ++++
 .../org/webeid/example/testutil/Tokens.java   |  29 +
 example/src/test/resources/signout.p12        | Bin 0 -> 3061 bytes
 54 files changed, 4554 insertions(+)
 create mode 100644 example/.gitattributes
 create mode 100644 example/.gitignore
 create mode 100644 example/.mvn/wrapper/MavenWrapperDownloader.java
 create mode 100644 example/.mvn/wrapper/maven-wrapper.jar
 create mode 100644 example/.mvn/wrapper/maven-wrapper.properties
 create mode 100644 example/.prettierrc.yaml
 create mode 100644 example/README.md
 create mode 100644 example/docker-compose.yml
 create mode 100644 example/mvnw
 create mode 100644 example/mvnw.cmd
 create mode 100644 example/pom.xml
 create mode 100644 example/src/main/java/org/webeid/example/WebEidSpringbootExampleApplication.java
 create mode 100644 example/src/main/java/org/webeid/example/config/ApplicationConfiguration.java
 create mode 100644 example/src/main/java/org/webeid/example/config/ValidationConfiguration.java
 create mode 100644 example/src/main/java/org/webeid/example/config/YAMLConfig.java
 create mode 100644 example/src/main/java/org/webeid/example/security/AuthTokenDTOAuthenticationProvider.java
 create mode 100644 example/src/main/java/org/webeid/example/security/WebEidAjaxLoginProcessingFilter.java
 create mode 100644 example/src/main/java/org/webeid/example/security/ajax/AjaxAuthenticationFailureHandler.java
 create mode 100644 example/src/main/java/org/webeid/example/security/ajax/AjaxAuthenticationSuccessHandler.java
 create mode 100644 example/src/main/java/org/webeid/example/security/dto/AuthTokenDTO.java
 create mode 100644 example/src/main/java/org/webeid/example/service/SigningService.java
 create mode 100644 example/src/main/java/org/webeid/example/service/dto/CertificateDTO.java
 create mode 100644 example/src/main/java/org/webeid/example/service/dto/ChallengeDTO.java
 create mode 100644 example/src/main/java/org/webeid/example/service/dto/DigestDTO.java
 create mode 100644 example/src/main/java/org/webeid/example/service/dto/FileDTO.java
 create mode 100644 example/src/main/java/org/webeid/example/service/dto/SignatureAlgorithmDTO.java
 create mode 100644 example/src/main/java/org/webeid/example/service/dto/SignatureDTO.java
 create mode 100644 example/src/main/java/org/webeid/example/web/WelcomeController.java
 create mode 100644 example/src/main/java/org/webeid/example/web/rest/ChallengeController.java
 create mode 100644 example/src/main/java/org/webeid/example/web/rest/SigningController.java
 create mode 100644 example/src/main/resources/application.properties
 create mode 100644 example/src/main/resources/application.yaml
 create mode 100644 example/src/main/resources/certs/ESTEID-SK_2015.cer
 create mode 100644 example/src/main/resources/certs/ESTEID2018.cer
 create mode 100644 example/src/main/resources/certs/TEST_of_ESTEID-SK_2015.cer
 create mode 100644 example/src/main/resources/certs/TEST_of_ESTEID2018.cer
 create mode 100644 example/src/main/resources/certs/trusted_certificates.jks
 create mode 100644 example/src/main/resources/static/css/main.css
 create mode 100644 example/src/main/resources/static/files/firefox/firefox-web-eid-extension-updates.json
 create mode 100644 example/src/main/resources/static/files/firefox/web-eid-webextension-0.9.1.xpi
 create mode 100644 example/src/main/resources/static/files/firefox/web-eid-webextension-latest.xpi
 create mode 100644 example/src/main/resources/static/img/eu-fund-flags.svg
 create mode 100644 example/src/main/resources/static/index.html
 create mode 100644 example/src/main/resources/static/js/error-message.js
 create mode 100644 example/src/main/resources/static/js/web-eid-0.9.0.js
 create mode 100644 example/src/main/resources/templates/welcome.html
 create mode 100644 example/src/test/java/org/webeid/example/AuthenticationRestControllerTest.java
 create mode 100644 example/src/test/java/org/webeid/example/WebApplicationTest.java
 create mode 100644 example/src/test/java/org/webeid/example/testutil/Dates.java
 create mode 100644 example/src/test/java/org/webeid/example/testutil/FakeNonce.java
 create mode 100644 example/src/test/java/org/webeid/example/testutil/HttpHelper.java
 create mode 100644 example/src/test/java/org/webeid/example/testutil/ObjectMother.java
 create mode 100644 example/src/test/java/org/webeid/example/testutil/Tokens.java
 create mode 100644 example/src/test/resources/signout.p12

diff --git a/example/.gitattributes b/example/.gitattributes
new file mode 100644
index 0000000..9115584
--- /dev/null
+++ b/example/.gitattributes
@@ -0,0 +1,19 @@
+* 	text=auto
+*.java 	text eol=lf
+*.xml 	text eol=lf
+*.pl 	text eol=lf
+*.py 	text eol=lf
+*.html	text eol=lf
+*.scss	text eol=lf
+*.css	text eol=lf
+*.js	text eol=lf
+*.bat 	text eol=crlf
+*.cmd 	text eol=crlf
+MANIFEST.MF	text eol=lf
+commit-msg	text eol=lf
+.gitattributes	text eol=lf
+.gitignore	text eol=lf
+*.deb filter=lfs diff=lfs merge=lfs -text
+*.pkg filter=lfs diff=lfs merge=lfs -text
+*.msi filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
diff --git a/example/.gitignore b/example/.gitignore
new file mode 100644
index 0000000..535d7b5
--- /dev/null
+++ b/example/.gitignore
@@ -0,0 +1,34 @@
+HELP.md
+target/
+!.mvn/wrapper/maven-wrapper.jar
+!**/src/main/**
+!**/src/test/**
+
+### STS ###
+.apt_generated
+.classpath
+.factorypath
+.project
+.settings
+.springBeans
+.sts4-cache
+
+### IntelliJ IDEA ###
+.idea
+*.iws
+*.iml
+*.ipr
+
+### NetBeans ###
+/nbproject/private/
+/nbbuild/
+/dist/
+/nbdist/
+/.nb-gradle/
+build/
+
+### VS Code ###
+.vscode/
+
+### Vim ###
+*.swp
diff --git a/example/.mvn/wrapper/MavenWrapperDownloader.java b/example/.mvn/wrapper/MavenWrapperDownloader.java
new file mode 100644
index 0000000..bb16fac
--- /dev/null
+++ b/example/.mvn/wrapper/MavenWrapperDownloader.java
@@ -0,0 +1,121 @@
+/*
+ * Copyright 2007-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+import java.io.*;
+import java.net.*;
+import java.nio.channels.*;
+import java.util.Properties;
+
+public class MavenWrapperDownloader {
+    private static final String WRAPPER_VERSION = "0.5.6";
+    /**
+     * Default URL to download the maven-wrapper.jar from, if no 'downloadUrl' is provided.
+     */
+    private static final String DEFAULT_DOWNLOAD_URL =
+        "https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/" +
+        WRAPPER_VERSION +
+        "/maven-wrapper-" +
+        WRAPPER_VERSION +
+        ".jar";
+
+    /**
+     * Path to the maven-wrapper.properties file, which might contain a downloadUrl property to
+     * use instead of the default one.
+     */
+    private static final String MAVEN_WRAPPER_PROPERTIES_PATH = ".mvn/wrapper/maven-wrapper.properties";
+
+    /**
+     * Path where the maven-wrapper.jar will be saved to.
+     */
+    private static final String MAVEN_WRAPPER_JAR_PATH = ".mvn/wrapper/maven-wrapper.jar";
+
+    /**
+     * Name of the property which should be used to override the default download url for the wrapper.
+     */
+    private static final String PROPERTY_NAME_WRAPPER_URL = "wrapperUrl";
+
+    public static void main(String args[]) {
+        System.out.println("- Downloader started");
+        File baseDirectory = new File(args[0]);
+        System.out.println("- Using base directory: " + baseDirectory.getAbsolutePath());
+
+        // If the maven-wrapper.properties exists, read it and check if it contains a custom
+        // wrapperUrl parameter.
+        File mavenWrapperPropertyFile = new File(baseDirectory, MAVEN_WRAPPER_PROPERTIES_PATH);
+        String url = DEFAULT_DOWNLOAD_URL;
+        if (mavenWrapperPropertyFile.exists()) {
+            FileInputStream mavenWrapperPropertyFileInputStream = null;
+            try {
+                mavenWrapperPropertyFileInputStream = new FileInputStream(mavenWrapperPropertyFile);
+                Properties mavenWrapperProperties = new Properties();
+                mavenWrapperProperties.load(mavenWrapperPropertyFileInputStream);
+                url = mavenWrapperProperties.getProperty(PROPERTY_NAME_WRAPPER_URL, url);
+            } catch (IOException e) {
+                System.out.println("- ERROR loading '" + MAVEN_WRAPPER_PROPERTIES_PATH + "'");
+            } finally {
+                try {
+                    if (mavenWrapperPropertyFileInputStream != null) {
+                        mavenWrapperPropertyFileInputStream.close();
+                    }
+                } catch (IOException e) {
+                    // Ignore ...
+                }
+            }
+        }
+        System.out.println("- Downloading from: " + url);
+
+        File outputFile = new File(baseDirectory.getAbsolutePath(), MAVEN_WRAPPER_JAR_PATH);
+        if (!outputFile.getParentFile().exists()) {
+            if (!outputFile.getParentFile().mkdirs()) {
+                System.out.println(
+                    "- ERROR creating output directory '" + outputFile.getParentFile().getAbsolutePath() + "'"
+                );
+            }
+        }
+        System.out.println("- Downloading to: " + outputFile.getAbsolutePath());
+        try {
+            downloadFileFromURL(url, outputFile);
+            System.out.println("Done");
+            System.exit(0);
+        } catch (Throwable e) {
+            System.out.println("- Error downloading");
+            e.printStackTrace();
+            System.exit(1);
+        }
+    }
+
+    private static void downloadFileFromURL(String urlString, File destination) throws Exception {
+        if (System.getenv("MVNW_USERNAME") != null && System.getenv("MVNW_PASSWORD") != null) {
+            String username = System.getenv("MVNW_USERNAME");
+            char[] password = System.getenv("MVNW_PASSWORD").toCharArray();
+            Authenticator.setDefault(
+                new Authenticator() {
+
+                    @Override
+                    protected PasswordAuthentication getPasswordAuthentication() {
+                        return new PasswordAuthentication(username, password);
+                    }
+                }
+            );
+        }
+        URL website = new URL(urlString);
+        ReadableByteChannel rbc;
+        rbc = Channels.newChannel(website.openStream());
+        FileOutputStream fos = new FileOutputStream(destination);
+        fos.getChannel().transferFrom(rbc, 0, Long.MAX_VALUE);
+        fos.close();
+        rbc.close();
+    }
+}
diff --git a/example/.mvn/wrapper/maven-wrapper.jar b/example/.mvn/wrapper/maven-wrapper.jar
new file mode 100644
index 0000000000000000000000000000000000000000..2cc7d4a55c0cd0092912bf49ae38b3a9e3fd0054
GIT binary patch
literal 50710
zcmbTd1CVCTmM+|7+wQV$+qP}n>auOywyU~q+qUhh+uxis_~*a##hm*_WW<ixd#%is
z`MjA6Ps&LG0VDqa2M7Q0;|Knq_Mbn9KabMFO8nH~G9t7<Kjb9A{`%$z;6J~R`yU07
z|Er)hzl^wuu%Z%;v`A76KV%;ryzsN%20oftDT;7=Lp24s|6o<1QMlkbk(A-!`nrlz
zDWz-wcfaRHfQuSG+95`%;59>?9E7Pb7N%LRFiwbEGCJ0XP=%-6oeT$XZcYgtzC2~q
zk(K08IQL8oTl}>>+hE5YRgXTB@fZ4TH9>7=79e`%%tw*SQUa9~$xKD5rS!;ZG@ocK
zQdcH}JX?W|0_Afv?y`-NgLum62B&WSD$-w;O6G0Sm;SMX65z)l%m1e-g8Q$QTI;(Q
z+x$xth4KFvH@Bs6(zn!iF#nenk^Y^ce;XIItAoCsow38eq?Y-Auh!1in#Rt-_D>H^
z=EjbclGGGa6VnaMGmMLj`x3NcwA43Jb(0gzl;RUIRAUDcR1~99l2SAPkVhoRMMtN}
zXvC<<g{bxb|AsQDMm`XZKV7r`Y5()w1OItz>tOmX83grD8GSo_Lo?%lNfhD#EBgPo
z*nf@ppMC#B!T)Ae0RG$mlJWmGl7CkuU~B8-==5i;rS;8i6rJ=PoQxf446XDX9g|c>
zU64ePyMlsI^V5Jq5A+BPe#e73+kpc_r1tv#B)~EZ;7^67F0*QiYfrk0uVW;Qb=NsG
zN>gsuCwvb?s-KQIppEaeXtEMdc9dy6Dfduz-tMTms+i01{eD9JE&h?Kht*$eOl#&L
zJdM_-vXs(V#$Ed;5wyNWJdPNh+Z$+;$|%qR(t`4W@kDhd*{(7-33BOS6L$<Ec$2A*
zX%N|qCOg6KGF$}+*B^380SL};F@;W&Q<?0z(Oq^dk%=E)cjsZQ(gMT&6zL<+gbhl4
z-{UVq4~)HP%!ZmXZY9J@Xw|PJwn!aZq)jiuMZ6ECt21>UPDeE_53j${QfKN-0v-HG
z(QfyvFNbwPK%^!eIo4ac1;b<Cy0l6VBm^C{og@M3a>>c0vyf9}Xby@YY!lkz-UvNp
zwj#Gg|4B~?n?G^{;(W;|{SNoJbHTMpQJ*Wq5b{l9c8(%?Kd^<m!CW)Ad5}K$XYWi?
zZwEOKN&q^+9hBBYC7XXr#u0ixOzV?1jg3MO39D_%q+<J|G{O*nW+DT+z8F(<3Bnkv
zSlB9^%x<GUn#O`lgPCJj?w)X_{z_WS8e)%4p`GSlxuznbiIOnnacE`#V5>1?H<bps
z^KeTf0dV|-IHDngtUt|}GO0TGt+B<O!zR!;4N9ibD3VBh9=!Oge|SWzP#76PYQ&fw
zSGRg*MtmCNuCYQX<-5@=g(G=1C529}G9p3Iqrp_2gmQ0*le|^QrC+c;3<gL|vr&yt
zG6f0UXl+0|y|Jc}f<e%(RLJiyPNiw&KIB(38Idi9W5HAsaSQhTg)zcvVTV?7VY`UD
znkpv_w)}zZ;`Ll9=IWo4jq47DdePy{f@LB0U^QiKIJOJKY`wy>1om1de0Da9M;Q=n
zUfn{f87iVb^>Exl*n<T%tK{W>Z0hs(Yt>&V9$Pg`zX`AI%`+0SWQ4Zc(8lUDcTluS
z5a_KerZWe}a-MF9#Cd^fi!y3%@RFmg&~YnYZ6<=L`UJ0v={zr)>$A;x#MCHZy1st7
ztT+N07NR+vOwSV2pvWuN1%lO!K#Pj0Fr>Q~R40{bwdL<wm-z-wIVsTI!*3O}o;9&;
z5cTXH{O&r)mqB^q;ZeHbw*+WCuHGZ`k`go4maB>%u9i`DSM4RdtEH#cW)6}+I-eE<
z&tZs+(Ogu(H_;$a$!7w`MH0r%h&@KM+<>gJL@O~2K2?VrSYUBbhCn#yy?P)uF3qWU
z0o09mIik+kvzV6w>vEZy@&Mr)SgxPzUiDA&%07m17udz9usD82afQEps3$pe!7fUf
z0eiidkJ)m3qhOjVHC_M(RYCBO%CZKZXFb8}s0-+}@CIn&EF(rRWUX2g^yZCvl0bI}
zbP;1S)iXnRC&}5-Tl(hASKqdSnO?ASGJ*MIhOXIblmEudj(M|W!+I3eDc}7t`^mtg
z)PKlaXe(OH+q-)qcQ8a@!llRrpGI8DsjhoKvw9T;TEH&?s=LH0w$EzI>%u;oD@x83
zJL7+ncjI9nn!TlS_KYu5vn%f*@<tbI*y@KgQh-P7aV}+H4c#hKvqbJDWNeG;NaGF$
zMTU6#bBwO^n6QwXYLBOA2YCufAq_E+w1$LAL-}@2CC4-3sCkqZUuVj<&^C6hk%$w$
zPP?9f6VuIO?HcPHWY#R#)X3kV9^1Vn_}NE5?_^n&XKDWM`!%O0dq<z;PMi?H^2G{8
z_p{E&25ba{PO30LY-Sf$;Tu^*%Y$C^$EmZ2c?xntQ^!q}WXvun+UdJ5z+ZmB+{(w0
z0LYIYdXWG1Z2Iq8G{fI*(L%;1`p#BPLbk3pR<`;^#tuaE|J<P!t!0t;;eC>qa5F;|
zEFxY&B?g=IVlaF3XNm_03PA)=3|{n-UCgJoTr;|;1AU9|kPE_if8!Zvb}0q$5okF$
zHaJdmO&gg!9oN|M{!qGE=tb|3pVQ8PbL$}e;NgXz<6ZEggI}wO@aBP**2Wo=yN#ZC
z4G$m^yaM9g=|&!^ft8jOLuzc3Psca*;7`;gnHm}tS0%f4{|VGEwu45KptfNmwxlE~
z^=r30gi@?cOm8kAz!EylA4G~7kbEiRlRIzwrb~{_2(x^$-?|#e6Bi_**(vyr_~9Of
z!n>Gqf+Qwiu!xhi9f53=PM3`3tNF}pCOiPU|H4;pzjcsqbwg*{{kyrTxk<;mx~(;;
z1NMrpaQ`57yn34>Jo3b|HROE(UNcQash!<Gjf_cVClc1kwaATyDY}hUB4bg-($uix
zY7hSo_UKzVd>0p2-!Cz;{IRv#Vp5!3o$P8!%SgV~k&Hnqhp<btp}}6$qI7*vS&uZ9
zbAG2@x&Wej)TNX_!V+>`5eLjTcy93cK!3Hm-$`@yGnaE=?;*2uSpiZTs_dDd51U%i
z{|Zd9<WeM#Riq}sK3q2TIdY0+FBz3Lfj#({d`K!z8Ua*IIK2|>ou-;laGS_x=O}a+
zB<rH*!qsToxVXoFgi-Pc3Kx6-c39DfRyNjH)CeNcV1Xdn;EeR<ltYsqb^qiQ<}buC
zUkK(S{&Bhwf&LD0ivJqo6x|)2jIHJV!(sdL<mS%r>||za<795A?_~Q=r=coQ+ZK@@
zId~hWQL<%)fI_WD<Nc6^qCzK4PYOIL3}S7FBJ6Y#SwyX2B6c-zB!;1kwRv^`ZzqOf
z>IX#=(WNl!Dm$a&ROfLTd&B$vatq!M-2Jcs;N2vps$b6P1(N}=oI3<3luMTmC|0*{
zm1w8bt7vgX($!0@V0A}XIK)w!AzUn7vH=pZEp0RU0p?}ch2XC-7r#LK&vyc2=-#Q2
z^L%8)JbbcZ%g0Du;|8=q8B>X=mIQirpE=&Ox{TiuNDnOPd-FLI^KfEF729!!0x#Es
z@>3ursjFSpu%C-8WL^Zw!7a0O-#cnf`HjI+AjVCFitK}GXO`ME&on|^=~Zc}^LBp9
zj=-vlN;Uc;IDjtK38l7}5xxQF&sRtfn4^TNtnzXv4M{r&ek*(eNbIu!u$<N>>Ed%`
z5x7+&)2P&4>0J`N&ZP8$vcR+@FS0126s6+Jx_{{`3ZrIMwaJo6jdrRwE$>IU_JTZ}
z(||hyyQ)4Z1@wSlT94(-QK<hEI4XkIQYLgX<8rwPmE+=t(|@!gs6@{ux=0Y}^8qrs
zNR`*CEQ2=*7ZvlR&k8I<4Yt`~Jd)19073U0T|q{zWz*53Z&*@&iN1K(x<XfVWOZnX
zwm+u4!rk54^>qkAatMmkT7pCycEB1U8KQbFX&?%|4$yyxCtm3=W`$4fiG0WU3yI@c
zx{wfmkZAYE_5M%4{J-ygbpH|(|GD$2f$3o_Vti#&zfSGZMQ5_f3xt6~+{RX=$H8at
z?GFG1Tmp}}lmm-R->ve*Iv+XJ@58p|1_jRvfEgz$XozU8#iJS})UM6VNI!3RUU!{5
zXB(+Eqd-E;cHQ>)`h0(HO_zLmzR3Tu-UGp;08YntWwMY-9i^w_u#wR?JxR2bky5j9
z3Sl-dQQU$xrO0xa&>vsiK`QN<$Yd%YXXM7*WOhnRdSFt5$aJux8QceC?lA0_if|s>
ze{ad*opH_kb%M&~(~&UcX0nFGq^MqjxW?HJIP462v9XG>j(5Gat_)#SiNfahq2Mz2
zU`4uV8m$S~o9(W>mu*=h%Gs(Wz+%>h;R9Sg)jZ$q8vT1HxX3iQnh6&2rJ1u|<wug5
zO)e@WFa;JSSOtFV-0$1cxPn+eBsruVvnW3#;>j>^Qf`A76K%_ubL`Zu<j0}PM%5V+
z#B3wIDk3d)A}ujNM$e1J#S|R8`VAjPvZ4v6coT~mCu??Es<%#hPD1!o_ov<SnL0mu
z^!v`RC5W;uz99#ol~55F7$`ujoGG`ZRzDIZM&yEIQOl9J3{<wJNFb~f8gny*6Yr<?
zs_6)-k-Dl0gKzc)CjZjN!Fvz`nCadt)7}gOxE-d<yj>?h4`b=IyL>1!=*%!_K)=XC
z6d}4R5L+sI5<whOgpIBMZ_g*Vfer)jb&n3G#%b!yE!3FnKQouNYbA2ajy{jd2R0Sw
z!>0Q4P3upXQ3Z!~1ZXLlh!^UNcK6#QpYt-YC=^H=EPg3)z*wXo*024Q4b2sBCG4I#
zlT<G;n{_4%D%EWXfOFqi>FFY=kQ>xvR+LsuDUAk)q%5pEcqr(O_|^spjhtpb1#aC&
zghXzGkGDC_XDa%t(X`E+kvKQ4zrQ*uuQoj>7@@ykWvF332)RO?%AA&Fsn&MNzmFa$
zWk&&^=NNjxLjrli_8ESU)}U|N{%j&TQmvY~lk!~Jh}*=^INA~&QB9em!in_<Qa?j<
zqmO#O!7*4ZUV(#aq_c@nOQK(XJ2W{=3awHW4{k_f!Y|o|_G0y-q}>X%Rl1&Kd~Z(u
z9mra#<@vZQlOY+JYUwCrgoea4C8^(xv4ceCXcejq84TQ#sF~IU2V}LKc~Xlr_P=ry
zl&Hh0exdCbVd^NPCqNNlxM3vA13EI8XvZ1H9#bT7y*U8Y{H8nwGpOR!e!!}*g;<eb
z;rNL4bptqUO;1s@{82O5gjua$jm<dekvS_LF}Ul@Hd1a?B8u&Yau`nJedp21-~Y(e
zt;Gh@iNFePt5|)BfT+>mJ#}T{ekSb}5zIPmye*If(}}_=PcuAW#yidAa^9-`<8Gr0
z)Fz=NiZ{)HAvw{Pl5uu)?)&i&Us$Cx4gE}cIJ}B4Xz~-q7)R_%owbP!z_V2=Aq%Rj
z{V;7#kV1dNT9-6R+H}}(ED*_!F=~uz>&nR3gb^Ce%+0s#u|vWl<~JD3MvS0T9thdF
zioIG3c#Sdsv;LdtRv3ml7%o$6LTVL>(H`^@TNg`2KPIk*8-IB}X!MT0`hN9Ddf7yN
z?J=GxPL!uJ7lqwowsl?iRrh@#5C$%E&h~Z>XQcvFC*5%0RN-Opq|=IwX(dq(*sjs+
zqy99+v~m|6T#zR*e1AVxZ8djd5>eIeCi(b8sUk)OGjAsKSOg^-ugwl2WSL@d#?mdl
zib0v*{u-?cq}dDGy<uHZmO7`f4M%oin|l|K8(>Z%$XRY=UkQwt2oGu`zQneZh$=^!
zj;!pCBWQNtvAcwcWIBM2y9!*W|8LmQy$H~5BEx)78J`4Z0(FJO2P^!YyQU{*Al+fs
z){!4JvT1iLrJ8aU3k0t|P}{RN)_^v%$$r;+p0DY7N8CXzmS*HB*=?qaaF9D@#_$SN
zSz{moAK<*RH->%r7xX~9gVW$l7?b|_SYI)gcjf0VAUJ%FcQP(T<UI^GmLDW=>pBs;
zg$25D!Ry_`8xpS_OJd<NQAg}@GuM#Is%6^ePzKH)emeCFg+1`-FwdYjrXR}vx<@qK
z43RJ&FutS&7Y~Jw?2^674CW0rQY6&cbGNc2*L>eo$qh#7U+cepZ??TII7_%AXsT$B
z=e)Bx#v%J0j``00Zk5hsvv6%T^*xGNx%KN-=pocSoqE5_R)OK%-Pbu^1MNzfds)mL
zxz^F4lDKV9D&lEY;I+A)ui{TznB*CE$=9(wgE{m}`^<--OzV-5V4X2w9j(_!+jpTr
zJvD*y6;39&<tM)`(>T+==$F&tsRKM_lqa1HC}aGL0o`%c9mO=fts?36@8MGm7Vi{Y
z^<7m$(EtdSr#22<(rm_(l_(`j!*Pu~Y>>xc>I9M#DJYDJNHO&4=HM%YLIp?;iR&$m
z<T({U$v{GCBf+1{WW$hNjVxEbq#jLb*hb+kjl1Hara!d%A|`1T(i_is9wFMT$LvF#
z>#_$ZWYLfGLt5FJZhr3jpYb`*%9S!zCG6ivNHYzNHcI%khtgHBliM^Ou}ZVD7ehU9
zS+W@AV=?Ro!=%AJ>Kcy9aU3%VX3|XM_K0A+ZaknKDyIS3S-Hw1C7&BSW5)sqj5Ye_
z4OSW7Yu-;bCyYKHFUk}<*<(@TH?YZPHr~~Iy%9@GR2Yd}J2!N9K&CN7Eq{Ka!jdu;
zQNB*Y;i(7)OxZK%IHGt#Rt?z`I|A{q_BmoF!f^G}XVeTbe1Wnzh%1g>j}>DqFf;Rp
zz7>xIs12@Ke0gr+4-!pmFP84vCIaTjqFNg{V`5}Rdt~xE^I;Bxp4)|cs8=f)1YwHz
zqI`G~s2~qqDV+h02b`PQpUE#^^Aq8l%y2|ByQeXSADg5*qMprEAE3WFg0Q39`O+i1
z!J@iV!`Y~C$wJ!5Z+j5$i<1`+@)tBG$JL=!*uk=2k;T<@{|s1$YL079FvK%mPhyHV
zP8^KGZnp`(hVMZ;s<o6=bTk63a|d{gmA$-2FS<7$0eSF-TlR?AZ3IY<b6vyjlw+^*
zEwj5-yyMEI3=z&TduBb3HLKz9{|qCfLrTof>=n~3r2y;LTwcJwoBW-(ndU-$03{RD
zh+Qn$ja_Z^OuMf3Ub|JTY74s&Am*(n{J3~@#OJNYuEVVJd9*H%)oFoRBkySGm`hx!
zT3tG|+aAkXcx-2Apy)h^BkOyFTWQVeZ%e2@;*0DtlG9I3Et=PKaPt&<yF%{*Oa9Ou
z?0fv-L@Wq#aYQwg<&*FB!}27``9X-#8$sBgZY9F8F6O2!ko&pl;lM|sJGAG5mOc>K
zw?WI7S;P)TWED7aSH$3hL@Qde?H#tzo^<(o_sv_2ci<7M?F$|oCFWc?7@KBj-;N$P
zB;q!8@bW-WJY9do&y|6~mEruZAVe$!?{)N9rZZxD-|oltkhW9~nR8bLBGXw<632!l
z*TYQn^NnUy%Ds}$f^=yQ+BM-a<Z5BE&^HfASBBCSBYk?h>5X4^GHF=%PDrRfm_uqC
zh{sKwIu|O0&jWb27;wzg4w5uA<BJk(&g3ps<R=%CY(7QqFA5{FiGuP3;4S2PC(Mi$
zC5aTKLtzx{`nHq!$rlFcs-067FX2P^ATRXe26>@TO_j(1X?8E>5Zfma|Ly7Bklq|s
z9)H`zoAGY3n-+&JPrT!>u^qg9Evx4y@GI4$n-Uk_5wttU1_t?6><>}cZ-U+&+~JE)
zPlDbO_j;MoxdLzMd~Ew|1o^a5q_1R*JZ=#XXMzg?6Zy!^hop}qoLQlJ{(%!KYt`MK
z8umEN@Z4w!2=q_oe=;QttPCQy3Nm4F@x>@v4sz_jo{4m*0r%J(w1cSo;D_hQtJs7W
z><$QrmG^+<$4{d2bgGo&3-FV}avg9zI|Rr(k{wT<Sdtm!m&XN2&fW+_>yl3!M1q+a
zD9<of)}AueHsfP1J}234JKxcgvNA9NG}WeUj0Zbm5CmL#imino*M-yu8^dj56O^l1
zYWXWE2bd(44i?`S-6i^m({c6YwMb?3wJ)oXuwG6pkg#6OpBKYKULTjkOkS(Xk*Mz~
z7Q@V{ssRW3A8!L|*t2g!K5m7SODVEv1T?tvMEAnh%2B^+<pxcK*E^Zd6E`@?zc&{y
zX|_OJ8`w4kKd*`Rw)#C!x`_QSDAkTc6*9{J4R;Lc#MM<o0P57$n?bwwsG_|JFA+7_
z?h=+&W~by)*t5wwl<HMN8;WoZD%eD|3s6q@zGQ&~G9!L}|67$okU22M4*JIr6ZF4}
zX2}0Gn)#0u&OgE!;pkr2UOxEX@4UqLShpWwXf!NST?BDrM1k)Xq>W{pCd%il*j&Ft
z5H$nENf>><Y)QWN-8+C%b1(A+(9Im-8IpSA2E~smh4hWm>k$;SONGW`qo6`&qKs*T
z2^RS)pXk9b@(_Fw1bkb)-oqK|v}r$L!W&aXA>IpcdNZ_vWE#XO8X`#Yp1+?RshVcd
zknG%rPd*4ECEI0wD#@d+3NbHKxl}n^Sgkx==<uI|{1wy%+CL-K{xNd@Py3&PI<mi;
z25}olCw(ice=js-sk!T6A3A??n-{594W&d{Mf6jFzQ#K1VHw3n-Qr^i5vi*s53K1i
zE=3;<c5sg4CL2}%vPJ~o1sCrPw&R=v0G_X{N6^y%G*?_>Iu%}HvNliOqVBqG?P2va
zQ;kRJ$J6j;+<xEs^ttxF-^}UyLj8r}Fu@n57l(vrQE#yH8@Gep;Ig4Wy5F7>wP9cS
za#m;#GUT!qAV%+rdWolk+)6kkz4@Yh5LXP+LSvo9_T+M<xuU7dbbaY5s%w3%#p&{F
ztM*cZUwIhVTb2Pg9JUH!V&#Br+N^#Wvc!s(;)Q~g8eM`23D9;1BRUv|lC1QSt-zv6
zoq)4i%TUE(I#{SL`l7hrzsQtlSzBzh;LuWVR?Z<S_x%`~0^X%LGvyJ2D<d=aQjok{
zYGOc(|8&mS8wFk|<0el*^<FwP6+d+mA$(1{Y{Z7Mdy)XiIfqd%=)KZSET@5%dz2f$
z{Un~zG7b*I`W|M$n$o;wuExK@H`@C%?K^T(&x{PEB_5x&-9(+l2fxJJk<5y+qd5+M
zv)B^?$ftKB?B&R{Q;mp@^S%Ae)!O=eYp$cIKSZ*2h0j|4>miaP-eq6_k;)i6_@WSJ
zlT@wK$zqHu<83U2V*yJ|XJU4farT#pAA&@qu)(PO^8PxEmPD4;Txpio+2)#!9<es>
z>&=i7*#tc0`?!==v<bsniFv!RUA#@&Lyk@hN~=JDH*o=17Q463OwwFoplX_0NX6-o
zN1w#kEjtz1k+Zg;2pE57MgMenvk|UJ3o9Ef<%jZK@5Ne9Wa|yQ@G{H{smA=MpcE$t
zK;UDltfgiWtz8gFPj^Z}me|ICuRgJNi~+fgFp&$hxgOe#Rv)}-!4N-L2pTTKFK0GE
zL6;4olJ-fYa99o=tKLV@_S1xzq$ZN){E)+e#JR?p5SNk%W<_FCc@~h9E}h;!E#r9}
z-x7!Cd3qJE1zvPl0-r~j9?;WZ@j7-xzypJVH(S;^!3KL5vO0V&t0)qOKBs#UBu-~X
z6PpHB39RQgJ4P3*+EhDJFeZzeUwYTWHCGM$zF|;;LEVMcEWyyVWYsT)Tv8YOp`m?r
z)^LN!x{w5kg4lRZ1O`7dDYq^>k>s7V+PL#S1;PwSY?NIXN2=Gu89x(cToFm))7L;<
z+bhAbVD*bD=}iU`+PU+SBobTQ%<B$L&s0ur8SOhLIn6@U0dzLRHz5^E5p#yPL9a;0
z8_Y=7KwxWWl2J`f>S!=VL!>q$rfWsaaV}Smz>lO9JXT#`CcH_mRCSf4%YQAw`$^yY
z3Y*^Nzk_g$xn7a_NO(2Eb*I=^;4f!Ra#Oo~LLjlcjke*k*o$~U#0ZXOQ5@HQ&T46l
z7504MUgZkz2gNP1QFN8Y?nSEnEai^Rgyvl}xZfMUV6QrJcXp;jKGqB=D*tj{8(_pV
zqyB*DK$2lgYGejmJUW)*s_Cv65sFf&pb(Yz8oWgDtQ0~k^0-wdF|tj}MOXaN@ydF8
zNr={U?=;&Z?wr^VC+`)S2xl}QFagy;$mG=TUs7Vi2wws5zEke4hTa2)>O0U?$WYsZ
z<8bN2bB_N4AWd%+kncgknZ&}bM~eDtj#C5uRkp21hWW5gxWvc6b*4+dn<{c?w9Rmf
zIVZKsPl{W2vQAlYO3yh}-{Os=YBnL8?uN5(RqfQ=-1cOiUnJu>KcLA*tQK3FU`_bM
zM^T28w;nAj5EdAXFi&Kk1Nnl2)D!M{@+D-}bIEe+Lc4{s;YJc-{F#``iS2uk;2!Zp
zF9#myUmO!wCe<Ub=&>JIoi^A+T^e~20c+c2C}XltaR!|U-HfDA=^xF97ev}$l6#oY
z&-&T{egB)&aV$3_<F_@%fux9my8>aVA51XGiU07$s9vubh_kQG?F$FycvS6|IO!6q
zq^>9|3U^*!X_C~SxX&pqUkUjz%!j=VlXDo$!2VLH!rKj@61mDpSr~7B2yy{>X~_nc
zR<ohS^J`dGk6dIaG_i)Gd;aTd3dt9wue4&7p50t#3MF3fEaQm_e(!eLi>I+7g2V&k
zd**H++P9dg!-AOs3;GM`(g<+GRV$+&DdMVpUxY9I1@uK28$az=6oaa+PutlO9?6#?
zf-OsgT>^@8KK>ggkUQRPPgC7zjKFR5spqQb3ojCHzj^(UH~v+!y*`Smv)VpVoPwa6
zWG18WJaP<b8NF3dd`4EQ>KMi*F6Zdk*kU^`i~NNTfn3BkJniC`yN98L-Awd)Z&mY?
zprBW$!qL-OL7h@O#kvYnLsfff@kDIegt~?{-*5A7JrA;#TmTe?jICJqhub-G@e??D
zqiV#g{)M!kW1-4SDel7TO{;@*h2=_76g3NUD@|c*WO#>MfYq6_YVUP+&8e4|%4T`w
zXzhmVNziAHazWO2qXcaOu@R1MrPP{t)`N)}-1&~mq=ZH=w=;-E$IO<yffr9?K?92P
z0((ND@f`e{B%~;??Ny|=P=KRtI%m@6cA`)Elro^w{wSOJ>k=y$dOls{6sRR`I5>|X
zpq~XYW4sd;J^6OwOf**J>a7u$S>WTFPRkjY;BfVgQst)u4aMLR1|6%)CB^18XCz+r
ztkYQ}G43j~Q&1em(_EkMv0|WEiKu;z2zhb(L%$F&xWwzOmk;VLBYAZ8lOCziNoPw1
zv2BOyXA`A8z^WH!nXhKXM`t0;6D*-uGds3TYGrm8SPnJJOQ^fJU#}@aIy@MYWz**H
zvkp?7I5PE{$$|~{-ZaFxr6ZolP^nL##mHOErB^AqJqn^hFA=)HWj!m3WDaHW$C)i^
z9@6G$SzB=>jbe>4kqr#sF7#K}W*Cg-5y6kun3u&0L7BpXF9=#7IN8FOjWrWwUBZiU
zT_se3ih-GBKx+Uw0N|CwP3D@-C=5(9T#BH@M`F2!Goiqx+Js5xC9<T}`<iuZU?7g^
zD&=BWAh8}H)`P!JCWQ=&H_mj>2|Sy0%WWWp={$<c=m>(am!#l~f^W_oz78HX<0X#7
zp)p1u<E)S<Hy%f8)p*25ts$LSDkSe5AWt`*emazpyN;Hy&qA}+%@Pz^XW|M^4@iA_
z#*l+8z%;N~x^mcao{KKyg-Erj_CzJY1ma9CD7bb%0b5IFy_$k!3U=_aCQRg<4PRg@
z7VqLss(vcTz8~Pb55$JJ@2ARmDt7;jiJ!E~Ou-7*YBx0W>~M*o9W@O8P{0Qkg@Wa#
z2{Heb&oX^CQSZWSFBXKOfE|tsAm#^U-WkDnU;IowZ`Ok4!mwHwH=s|AqZ^YD4!5!@
zPxJj+Bd-q6w_YG`z_+r;S86zwXb+EO&qogOq8h-Ect5(M2+>(O7n7)^dP*ws_3U6v
zVsh)sk^@*c>)3EML|0<-YROho{lz@Nd4;R9gL{9|64xVL`n!m$-Jjrx?-Bacp!=^5
z1^T^eB{_)Y<9)y{-4Rz@9_>;<Ni;e7a(v#>_7h;5D+@QcbF4Wv7hu)s0&==&6u)33
zHRj+&Woq-vDvjwJCYES@$C4{$?f$Ibi4G()UeN11rgjF+^;YE^5nYprYoJNoudNj=
zm1pXSeG64dcWHObUetodRn1Fw|1nI$D9z}dVEYT0lQnsf_E1x2vBLql7NrHH!n&Sq
z6lc*mvU=W<?&3Y7tNdrmhnHR-*#=c(@8+WX>S6=v9Lrl}&zRiu_6u;6g%_DU{9b+R
z#YHqX7`m9eydf?KlKu6Sb%j$%_jmydig`B*TN`cZL-g!R)iE?+Q5oOqBF<tbk>Khx
z%MW>BC^(F_JuG(ayE(MT{S3eI{cKiwOtPwLc0XO*{*|(JOx;uQOfq@lp_^cZo=FZj
z4#}@e@dJ>Bn%2`2_WPeSN7si^{U#H=7N4o%Dq3NdGybrZgEU$oSm$hC)uNDC_M9xc
zGzwh5Sg?mpBIE8lT2XsqTt3j3?We8}3bzLBTQd639vyg^$0#1epq8snlDJP2(BF)K
zSx30RM+{f+b$g{9usIL8H!hCO117Xgv}ttPJm9wVRjPk;ePH@zxv%j9k5`TzdXLeT
zFgFX`V7cYIcBls5WN0Pf6SMBN+;CrQ(|EsFd*xtwr#$R{Z9FP`OWtyNsq#mCgZ7+P
z^Yn$haBJ)r96{ZJd8vlMl?IBxrgh=fdq_NF!1{jARCVz>jNdC)H^wf<?2G!*f3zl;
zdyVT?9`x`+G$!^eYN@PUum|5;j8$+`cBrBI`k*I0!jRt1BR=3gh&7e8U#!mamgR&_
z3Z&@9rms~l@GlsEKduCfx9Wt{o>y?R94#MPdUjcYX>#wEx+LB#P-#4S-%YH>t-j+w
zOFTI8gX$ard6fAh<H75EJ<)LuH_auhegZ+2E4B~a%IAJaFMvo?e6^A8l)Wuy^I?pi
zZF>&g=u&56%3^-6E2t<Yn^f-uPCm9NB$suTK>pk*wx<W&S3r;(8>3HSCQ+t7+*iOs
zPk5ysqE}i*cQocFvA68xHfL|iX(C4h*67@3|5Qwle(8wT&!&{8*{f%0(5gH+m>$tq
zp;AqrP7?XTEooYG1Dzfxc>W%*CyL16q|fQ0_jp%%Bk^k!i#Nbi(N9&T>#M{gez_Ws
zYK=l}adalV(nH}I_!hNeb;tQFk3BHX7N}}R8%pek^E`X}%ou=cx8InPU1EE0|Hen-
zyw8MoJqB5=)Z%JXlrdTXAE)eqLAdVE-=>wGHrkRet}>3Yu^lt$Kzu%$3#(ioY}@Gu
zjk3BZuQH&~7H+C*uX^4}F*|P89JX;Hg2U!pt>rDi(n(Qe-c}tzb0#6_ItoR0->LSt
zR~UT<-|@TO%O`M+_e_J4wx7^)5_%%u+J=yF_S#2Xd?C;Ss3N7KY^#-vx+|;bJX&8r
zD?|Met<uN>fhdC;^2WG`7MCgs>TKKN=^=!x&Q~Bzm<ft$_V>Qio_^l~LboTN<PA~s
ztvhkHV^TX6A<gyPqRneP;k-V;s*DXI`}cJ$*6E%w9XQN&$K(|;D9!d;Dz*l664jkU
zH#;2-C(!ut!I4z@rO6NomJDRcU5l|T$u40Cy)I1oatN8UM8v!=v?@wZKtav91=kx1
z4-I*8uU&4aiIm8&k*~&8?yrs}Q*4zuFw(bo3D%Hqk;QI)VqJr)PN^o{UIT(vi#=H=
z9m2cfv@TkDR+$~#OedTM8bgUKdawh=YD1?-b=GGS!rs?U9*&_9`8Hi1QB^7;1>T=I
zC5pme^P@ER``p$2md9>4!K#vV-Fc1an7pl>_|&>aqP}+zqR?+~Z;f2^`a+-!Te%V?
z;H<Wc=_RRR*LGsBEHu3xAdt&PDAh@%hvU_KO?Qc0RkblthZye3kgC5ar|FAvvzZzy
z5dZN1Mxh)MzaIl)qcT=a4!-}50&|$B3AXWv`5KD%cNqiXzsnd%*_xXEd%7U#59?)K
z4xQT-%Tjgh_pV$q1N?wB#Ut@8)BrjJ2?<CfBk^uTTg9@%T+@9s&TYvH;{b3J-Uq-J
z*}h{(Fj`2RxTo#3WA^-gW^<3v_Y1@hLbe$h9TVZHy4UYbApOTzxxl5kg8;wSWE}VG
zSWF3M#t^TOs$U`5P3xS<HhsD5nzlL@E-mOQJOSOipgt$0)9B$<&HZv~ky}tW35}9Q
z5*_5Aj_a$do+-~5sY56*jA#QLIeS76(hGFsa!*18efa$r<2<6`g?Jw4m-ZukILk~E
z+Da1^B-Mu5cDMA0{2yabgybylROn|Z=GUsf?fM6R$Drq%@xrqjw~_9suR#_R8wgXt
zU{ku=r+e>2SbF>jP^GE(R1@%C==<Y8b3&KH&O-3=eOv7*kQd9tI?UwT<t28PMVWZ(
zb&yE$i+8*sa|7NnujnUq6j*M5P(EydLP83}pABbYnp}h#9fwL9pl^~TRlA*50Fa8B
zEF<GcBFn{f69flKgt-u(%$yjN&TL{r%853aEKFRNX78M-GIhf%{FZJ{4g;ImRS71`
z3Yyo6P*Ki0@e;hhPWD(bhz2*>XQ@J=G9<S3k+D*)z%97N7^1&&l9}OAEHi077O(On
z7noWoH(DE8z|Ah_o?LvO$02OkEQ~{&Ha}?tE!dW%$NLAI0!b<NKmM?+t^bzaLi=}c
zlKzW%t@;mw^IyEz{~#53VX0z#_pH<z9o8RkgfU_gPu3c1j+xCdiHBHG4%}8=t~k#v
zX&p3FDYYxgltjWp7V)VY*Dyd9$+4J2)t8zpsz4cE%Rg-q^7#P<eRm`@QDNP`6SsR_
zcRx>lKX+Z<@5}PO(EYkJh=GCv#)Nj{DkWJM2}F&oAZ6xu8&g7pn1ps2U5srwQ7CAK
zN&*~@t{`31lUf`O;2w^)M3B@o)_mbRu{-`PrfNpF!R^q>yTR&ETS7^-b2*{-tZAZz
zw@q5x9B5V8Qd7dZ!Ai$9hk%Q!wqbE1F1c96&zwBBaRW}(^axoPpN^4Aw}&a5d<X6d
zH@0s>Me+*Gomky_l^54*rz<JzyAnm5XmBkSe<g?3k}Pfe82t7g;_<e&aU+v+4)y$m
zeRb}%59lYn5f}Nk?%BSnMqF!Ws^_X#@=Md_1O^7%$uR2oA!FtlReDyCcd=Q;>Xro$
z>LL)U5Ry>~FJi=*{JDc)_**c)-<XP_l4Gyvx}^77eE5(E^L$hk;37Mzdo6^f)`}K#
z{THLSWCZ0(xW^hpwR%@^?}>&faPz`6v`YU3HQa}pLtb5K)u%K+BOqXP0)rj5Au$zB
zW1?vr?mDv7Fsxtsr+S6ucp2l#(4dnr9sD*v+@*>g#M4b|U?~s93>Pg{{a5|rm2xfI
z`>E}?9S@|IoUX{Q1zjm5YJT|3S>&09D}|2~BiMo=z4YEjXlWh)V&qs;*C{`UMxp$9
zX)QB?G$fPD6z5_pNs>Jeh{^&U^)Wbr?2D6-q?)`*1k@!UvwQgl8eG$r+)NnFoT)L6
zg7lEh+E6J17krfYJCSjWzm67hEth24pomhz71|Qod<y$kjUFGaYg({=ldyCfYpI@C
zyQ_HeVXg^DSqhfa!y3S&hsT8J`qen*_5BW6wev2f-(!PE#XLIRvJ}X&_<)kgBfX&i
zXBwmuwju7ZzI8>n#oAILN)*Vwu2qpJirG)4Wnv}9GWOFrQg%Je+gNrPl8mw7ykE8{
z=|B4+uwC&bpp%eFcRU6{mxRV32VeH8XxX>v$du<$(Dfin<wZp$Q4H)Pfaukv*H0sf
z)WRtvk$o*4iMkf%^PAH#OI%3p*MbxQ{|t!*E9l0YI=&v-fja=}q?f)Qn_@69k!D6S
zU&b#%z(rw9E4Sc?(mn@@6~ZbrsZ)CkrY_Z_{e}wQyVA*eEj2w{-Fk?e+oaUR*{gY?
zEa8nD&St2JfiZ`&wn?g&EX9U~E9THj#k{MW89{=ii7l$h{u>aaWxP<+Y97Z#n#U~V
zVEu-GoPD=9$}P;xv+S~Ob#mmi$JQmE;Iz4(){y*9pFyW-jjgdk#oG$fl4o9E8bo|L
zWjo4l%n51@Kz-n%<M_TV#ts1K0mYf1F47fBmqr!jgmKJ;=;j+@iNEaC9YoqI$#UMP
z_DaJ2MCm5+3Oh~T3-;SBiloB1nPS#zeR<eAGEaOf_{>zeSCD`uB?T%FVk+KBI}=ve
zvlcS#wt`U6wrJo}6I6Rwb=1GzZfwE=I&Ne@p7*pH84XShXYJRgvK)UjQL%R9Zbm(m
zxzTQsLTON$WO7vM)*vl%Pc0JH7WhP;$z@j=y#avW4X8iqy6mEYr@-}PW?H)xfP6fQ
z&tI$F{NNct4rRMSHhaelo<5kTYq+(?pY)Ieh8*sa83EQfMrFupMM@nfEV@EmdHUv9
z35uzIrIuo4#WnF^_jcpC<Vx)$tdI1T+R0zF_1D69+(CLtgvu$DXs}SSIOZ=$O=$Tn
zaEnCWJLI`n(9-SZByUYExxoO5StnL+1}iT+O(sgx<tf>@uNN<y@{a4!Rk|T=JKwWu
z!7Ksm?(29@|82jxaWJ&J!h^=%7h_BILeeeVlcqsXEYb)h&nSL#k+zMZSWTVXSB1;v
zcincQjatdYZz&~RpYg)uv%?lxT?<Zsq?obm6opmdnN38QjL|d&ENMRSCHfKu#cN{A
z%39=~vu7H;eE>aYTQ~uZWOE6P@LFT^1@$o&q+9Qr8YR+ObBkpP9=F+$s5+B!mX2~T
zAuQ6<kEiwW$%NhT4*3<zOaDr}Z>RenX?O{IlLMl1%)OK{S7oL}X%;!XUxU~xJN8xk
z`xywS*naF(J#?vOpB(K=o~lE;m$zhgPWDB@=p#dQIW>xe_p1OLoWInJRKbEuoncf;
zmS1!u-ycc1qWnDg5Nk2D)BY%jmOwCLC+Ny>`f&UxFowIsHnOXfR^S;&F(KXd{ODlm
z$6#1ccqt-HIH9)|@fHnrKudu!6B$_R{fbCIkSIb#aUN|3RM>zuO>dpMbROZ`^hvS@
z$FU-;e4W<M6y)Im8hoQA=P7%y98J6KEu0HTxWM%F4mhK6fdz22r_7zojFNGozEHHo
zZ6t#r0+n!O8IcEbaV(>}!ubzKrU@R*dW*($tFZ>}dd*4_mv)#O>X{U@zSzQt*<TlT
z?xHfG&f%?cm8K`gA<4t?5S*}81_7DjS+k<qTYIP(W)#9ktlsV1(r@t))QC6{76sj<
zSDYlnN;zf1jb?p&^L1o92%17&l2%#SFX4ma`TR1OP=xe^Wo;nC57Jd4;a=hTEHIUo
zUTaP|OpJKI$FAQSAQg0isqRP6vdhWN{SUhKkmD}a0P9?^Y~x`OD0PxwVfo>83l9mI
zI$8O<5AIDx`wo0}f2fsPC_l>ONx_`E7kdXu{YIZbp1$(^oBAH({T~&oQ&1{X951QW
zmhHUxd)t%GQ9#a<w3bmSRr~u}n$(7~pxPXRs&HyeAkRa(uozm&0)oYXyEx}pl7@=l
zcIw|R0#t97`$=~Q6HK(sul=o>k5fTjk-cahWC;>^Rg7(`TVlvy0W@Y!Jc%QL3Ozu#
zDPIqBCy&T2PWBj+d-JA-pxZlM=9ja2ce|3B(^VCF+a*MMp`(rH>Rt6W1$;r{n1(VK
zLs>UtkT43LR2G$AOYHV<kZo|EwiHy^!;YnPn|GnJdBf0T_68MO4c!oFW%p6st$`xJ
zYNOt)N_;rcqascZwO7I=X9Bss)*~eA@TglO8}1LAmBDblZ!tTUnvDRn+;A?-M1X6K
z*8v^cV1c|Ue%9zi&ypq`xDaps;yjH)T{>ailiqk7naz2yZGLo*xQs!T9VN5Q>eE(w
zw$4&)&6xIV$IO^>1N-jrEUg>O8G4^@y+-hQv6@OmF@gy^nL_n1P1-Rtyy$Bl;|VcV
zF=p*&41-qI5gG9UhKmmnjs932!6hceXa#-qfK;3d*a{)BrwNFeKU|ge?N!;zk+kB!
zMD_uHJR#%b54c2tr~uGPLTRLg$`fupo}cRJ<c5uHhf<@e$Dvk#I8qC&ccQe;ntP%8
z_U(N)zE+)oc_Zr99;>eTwK;~}A>(Acy4k-Xk&Aa1&eWYS1ULWUj@fhBiWY$pdfy+F
z@G{OG{*v*mYtH3OdUjwEr6%_ZPZ3P{@rfbNPQG!BZ7lRyC^xlMpWH`@YRar`tr}d>
z#wz87t?#2FsH-jM6m{U=gp6WPrZ%*w0bFm(T#7m#v^;f%Z!kCeB5oiF`W33W5Srdt
zdU?YeOdPG@98H7NpI{(uN{FJdu14r(URPH^F6tOpXuhU7T9a{3G3_#Ldfx_nT(Hec
zo<1dyhsVsTw;ZkVcJ_0-<D$ec4j7wm40@(EHB@IX^JbTgh0!!UjeH%Uq#M*+_NKFU
z9zw+rX&^+LMjUjtp89z{*`hHlcg5sAPu<FN2>h-T3G1W@q)_Q30LNv)W?FbMH+XJ*
zy=$@39Op|kZv`Rt>X`zg&at(?PO^I=X8d9&myFEx#S`dYTg1W+iE?vt#b47QwoHI9
zNP+|3WjtXo{u}VG(lLUaW0&@yD|O?4TS4dfJI`HC-^q;M(b3r2;7|FONXphw-%7~*
z&;2!X17|05+kZOpQ3~3!Nb>O94b&ZSs%p)TK)n3m=4eiblVtSx@KNFgB<VaadJgM4
zYwK3786BD*n&~U4FFSBMq6kMim<E0!-4_#SX^f^<quJS?pI~}$8MxSe6;jUz^oUvA
zks*6R#kX+OB7|l8)A=WO2W{BRNM$YQ>Y_xV6ts;NF;GcGxMP8OKV^h6LmSb2E#Qnw
ze!6Mnz7>lE9u{AgQ~8u2zM8CYD5US8dMDX-5iMlgpE9m*s+Lh~A#P1er*rF}GHV3h
z=`STo?kIXw8I<`W0^*@mB1$}pj60R{aJ7<j>>C2m=oghKyxMbFNq#EVLgP0cH3q7H
z%0?L93-z6|+jiN|@v>ix?tRBU(v-4RV`}cQH*fp|)vd3)8i9hJ3hkuh^8dz{F5-~_
zUUr1T3cP%cCaTooM8dj|4*M=e6flH0&8ve32Q)0dyisl))XkZ7Wg~N}6y`+Qi2l+e
zUd#F!nJp{#KIjbQdI`%oZ`?h=5G^kZ_uN`<(`3;a!~EMsWV|j-o>c?x#;zR2ktiB!
z);5rrHl?GPtr6-o!tYd|uK;Vbsp4P{v_4??=^a>>U4_aUXPWQ$FPLE4PK$T^3Gkf$
zHo&9$U&G`d(Os6xt1r?sg14n)G8HNyWa^q8#nf0lbr4A-Fi;q6t-`pAx1T*$eKM*$
z|CX|gDrk#&1}>5H+`EjV$9Bm)Njw&7-ZR{1!CJTaXuP!$Pcg69`{w5BRHysB$<zDw
zcjqh1uY?!XAJULAYA!ToD2)^T*;)(9PK@sJOOPO&GSQY-0y+C95%=z!u)j<6o}I15
zC6AaHQ?N67s!g>(tWUes@@6aM69kb|Lx$%BRY^-o6bjH#0!7b;5~{6J+jKxU!Kmi#
zndh@+?}WKSRY2gZ?Q`{(Uj|kb1%VWmRryOH0T)f3cKtG4oIF=F7R<H74An-VM089e
zlN*A~TaQtgL_187UqCA>aRnH0Rc_&37<WST&k6<y-8Zx6Qq%dG7&LrD8erOLcploI
zf(w3f)N}iwyU98+CRV4Zke$fYA$6d$lyn3H3z8f~RO_cf+H?k7OD0jCwwoM;H<NIB
zbTo$@rlw2}>2={_3lRNsr95%ZO{IX{p@YJ^EI%+gvvKes5cY+PE@unghjdY5#9A!G
z70u6}?zmd?v+{`vCu<jrsG`-7e4C+GWyOg}Mw<0>-53_v5@z)X{oPC@P)iA3jK$`r
zSA2a7&!^zmUiZ82R2=1cumBQwOJUPz5<k9c_WcKM(Vn+kk3W1%7<t`tnq}-udm*5k
zR_|Ap%BL`4&Z2eie8rv>Ay<A3{M7#FkL;C&VH7xux0z`g&G=^Qj^-lpBpq9=z<Kn<
zZiDqJOJH9T@F_rI@?dfl*<BzjIsA<Yh4A%qCuUAs6^+5tLNuqUv2l1rbhICMg}5yb
zx`b?fvxVX0_5=sI^pJf$T-oyW=KY5HRKL_gO1`&?p>`RLfY(EiwKkrx%@YN^^X<Nj
zStykG?*NLV?~c;!i<JFWHMT*GPEThv<NV<3#lUiF#=F;M^K~Ij_}f)mB}`>uET;tE
zmr-6~I7j!R!KrHu5CWGSChO6deaLWa<u2N+!y-e&UAhtX)uSIDcFN$fk%4m8fwJ2Q
zOv9UZX-MbW_s!U!6lGksP$XN`(`3o78xr(sNUv$zhjcuMvy4&jdPT)knJ(%p?#Fi`
zTqYl(Vq?l)*m!!CB7!Q97y@}YmbaOaev`5Ta19gb;jh{rC=^#57s}&!X$+bU=u0j^
zA@<$7@i*QP;0Y_%>*9LLJbcAJsFd%Dy>a!>J`N)Z&oiU4OEP-!Ti^_!p<rXzhQC@3
zG;WLll1HMO<ei9MPYV(Rrra7syrY2Bi5NC~8Cmo;+l-aesVcl<ib{QIQxo*6a*exs
z5Qaf=Y{wbKv*_kEnMVhR;YYlSU;>}O?7`}i7Lsf$-g<xhdYrU`h00vC9X+sM3sx}r
zCPd*Kl0|Oh7<_e3w4PNWG*Q={KZh*(tt-K?n?m73ypPWZQYkyX9Xgy+j>BkuY*`Zb
z7=!nTT;5z$_5$=J=Ko+Cp|Q0J=%oFr>hBgnL3!tvFoLNhf#D0O=X^h+<D%s)KbSG+
zM{s4oZjjM2&HxP-;1<DeRGJkAY@dRP&>x08iB;@8pXdRHxX}6R4k@i6%vmsQwu^5z
zk1ip`#^N)^#Lg#HOW3sPI33xqFB4#bOPVnY%d6prwxf;Y-w9{ky4{O6&94Ra8VN@K
zb-lY;&`HtxW@sF!doT5T$2&lIvJpbKGMuDAFM#!QPXW87>}=<kY=DIbR`-HsR^z#P
z$j>Q4J3JeXlwHys?!1^#37q_k?N@+u&Ns20pEoBeZC*np;i;M{2C0Z4_br2gsh6eL
z#8`#sn41+$iD?^GL%5?cbRcaa-Nx0vE(D=*WY%rXy3B%gNz0l?#noGJGP728RMY#q
z=2&aJf@DcR?QbMmN)ItUe+VM_U!ryqA@1VVt$^*xYt~-qvW!J4Tp<-3>jT=7Zow5M
z8mSKp0v4b%a8bxFr>3MwZHSWD73D@+$5?nZAqGM#>H@`)mIeC#->B)P8T$zh-Pxnc
z8)~Zx?TWF4(YfKuF3WN_ckpCe5;x4V4AA3(i$pm|78{%!q?|~*eH0f=?j6i)n~Hso
zmTo>vqEtB)`%hP55INf7HM@taH)v`Fw40Ayc*R!T?O{ziUpYmP)AH`euTK!zg9*6Z
z!>M=$3pd0!&TzU=hc_@@^Yd3eUQpX4-33}b{?~5t5lgW=ldJ@dUAH%`l5US1y_`40
zs(X`Qk}vvMDYYq+@Rm+~IyCX;iD<kEtC|r#XuMTVlQJLByw3)=nc7jt^BNycu`#-Z
z9m4E2+1EzDuad50wi$^(+Hvb9$Eha2<sG<&CWgZd3<Q-qEaW+FG(V#0KfK;OWdSIX
ze%=;Qa8;`8Zx;tGw9w+hCfD9U`qwSbb|b=F-(0ywZ1mUE<SPxWg(nI#;e9b4;-cmC
zbkW@PY-|EL1~YUG#HK))B|}VGpDcA_PVjsz5|%*t-amcgeBTh2*yZ^93cTX|bufo`
zQReW1{rIs3`*(?amcKig|NA{cF?}1O|0Dt`t7{^uqWi=EgZ8!NmGTQO<imr@BQyb<
zFB%lVL<Hx{bwKZ?LX$A=8xhP*UR7Kw+dlM--*I*2cYzmi$#z}GSiENw#R40&w6U2^
zwPam;_8fkE4cGJluti-nSs}3*cZAjMqTd!mmqfkKK~8rB?~AcwYfiW^a9^!)xfM@n
zF;=c7Ix)WhyG&v{N7;?lBJS3uv12>~pMgq^KY)T*aBz@<c&T2fpNhg@IxXbO=$S4w
z9+<Ik6K+Bnk`RNW=eul(Nn=)*O$p~uOQvJ^G0uLUsS4@I3V39+0g7_uyW2{0dM!$g
zika@FK29jP4cL_~!!sf!?;2}w@jg7y{U6reF}Tup-5TwVI<{?V#<p$Sw%M_5+qP{x
z>DYEB={PxA>)mI6tM*sx-DmGQHEaHwRrAmNjO!ZLHO4b;;5mf@zzlPhkP($JeZGE7
z?^XN}Gf_feGoG~BjUgVa*)O`>l<h*IpQ!z2CW{ns`;EbZK%SB&68g{f@GzLs;1_hP
z3|8#wF*;&Im!eeBlov5`2~+&il<&t*jr$-3va7?Dy?*g>X=$BSR2)uD<<!f=iY_7+
zCx~VgL*7J|?j{<rG=oL^Y0X6hjaO<Iv?&cH7Aoxz;856j4%+M18L|=;(%P~v84U>9
z>o^|nb1^oVDhQbfW>>!;8-7<}nL6L^V*4pB=>wwW+RXAeRvKED(n1;R`A6<f&`KXK
zfD&?Dt(5bu;DN{UB7piRVUy%Z<Ey!ADARS8_d#8xObY02AD!+&INw_XsW544fRkiv
zsgN89xNO|AooI0A^u_oh*3HRu5%VnYg>v$6<SBgAN0_0JGCLdqq}<97hmgd=n75Q7
zOhTZ|s`O5g29c?$OeSv4RJAn%uB~Dve&?a)t$o2;<4XX)6*Yrots9mCjmaoXL^Nc~
z7AGnF^zS7wG1fC!o)f^`@k|@3oheBwS}G8pg}FkGEw{zNtmQiz$aA;JXH45T3+c-9
z!O<9l>gy0I(;Vf?!4;&sgn7F%LpM}6PQ?0%2Z@b{It<(G1CZ|>913E0nR2r^Pa*Bp
z@tFGi*<dAvc$qjHT6XD6wTz&&N_7u(Rl1@oBi^7tlbIL_CL@ADr>CQ~@Yc-?{cwu1
zsilf=k^+Qs>&WZG(3WDixisHpR>`+ihiRwkL(3T|=xsoNP*@XX3BU8hr57l3k;pni
zI``=3Nl4xh4oDj<%>Q1zYXHr%Xg_xrK3Nq?vKX3|^Hb(Bj+lONTz>4yhU-UdXt2>j
z<>S4NB&!iE+ao{0Tx^N*^|EZU;0kJkx@zh}S^P{ieQjGl468CbC`SWnwLRYYiStXm
zOxt~Rb3D{dz=nH<w<gcr0@Smh4?7*NpxM$L=7%^NSAFm@#nvp#8qWCc6XLxOp05m;
zm+Vq=;6Q;TxJ*@^XL*?^Xi4dI#=!F|B%y2um~UT1!6v(w_7D}&dy`}<a;f$Z+oyNl
zPr8sXY@0tTpl1$l?+9za&ct1tHK2{yCONrnRJqPnW$cjE{pEeqMN^ABAC6U)X#ni~
zUfB89Z_@>McY)#r^kF8|q8KZHVb9FCX2m^X*(|L9FZg!5a7((!J8%MjT$#Fs)M1Pb
zq6hBGp%O1A+&%2>l0mpaIz<Trj|_4|8tOfqtA{6qYlUp*AW=6wyaR8GVPG#YUBW`2
zz?f&&D9xup7E7}pxSU<br&5#ywm1K0k5E*vu$t7Enh18PU+-VB2_er`-mhr?sHL7j
zdNe0r@5Qcsr6&D*8};8txBQ2IC1`77Vs7f}p#Ogc;H1QDMJ#3HksdSw#QC5=kn+%`
zd5hJ-U>bo&jc^!oN^3zxap3V2dNj3x<=TwZ&0eKX5<Dl7;b^#b;I{(onaxeU`VFpo
z0#Bcu*HzEyqwUWRcPKs3DfD6V-^rWHZYg+KCu<bE3(}VxN1N3)mY&_z>PIso9j1;e
zwUg+C&}FJ`k(M|%%}p=6RPUq4sT3-Y;k-<68ciZ~_j|bt>&9ZLHNVrp#+pk}XvM{8
z`?k}o-!if>hVlCP9j%&WI2V`5SW)BCeR5>MQhF)po=p~AYN%cNa_BbV6EEh_kk^@a
zD>4&>uCGCUmyA-c)%DIcF4R6!>?6T~Mj_m{Hpq`*(wj>foHL;;%;?(((YOxGt)Bhx
zuS+K{{CUsaC++%}S6~CJ=|vr(iIs-je)e9uJEU8ZJAz)w166q)R^2XI?@E2vUQ!R%
zn@dxS!JcOimXkWJBz8Y?2JKQr>`~SmE2F2SL38$SyR1^yqj8_mkBp)o$@+3BQ~Mid
z9U$XVqxX3P=X<VH60STdy0sB@jX}+Y_TBg#FKwe*aYaFRRb%;;%q$^Iyf2|Z9YYlw
z%Jt8hwodbGdJaNxw5cPU2RS=7SORg_h_1qR>CKj0*W>}L0~Em`(vG<>srF8+*kPrw
z20{z(=^w+ybdGe~Oo_i|hYJ@kZl*(9sHw#Chi&OIc?w`nBODp?ia$uF%Hs(X>xm?j
zqZQ`Ybf@g#wli`!-al~3GWiE$K+LCe=Ndi!#C<Hn52U9|8K~Ro$I%*RemIf>VjzUZ
z!sD2O*;d28zk<D+-Enbah_#E$&gZ)`AdRl_O}jIQbDwnNAHN#Ci};At$G&3SwK=`P
zpl<2i0!g;rM|EdU74dfP@uV!%*6y8FWa~UFSiX{QU&G^{<bvxL*Ya&&SpTLG7}BO*
zVEuYNLK5?yLUyUVq~muHmVx1;3PYt2J_P<eP7KS>l))m)YN7HDi^z5IuNo3^w(zy8
zszJ<n=2-mJ3CZwLndLXzyBh4<7UNIu$A>G#mp#Cj)Q@E@r-=NP2FVxxEAeOI2e=<s
zqQBD3JtlZm1u~d=N%{y8-ymvOK+jMz2r(X*J0Ylh@G(QI7kZ%-a}ol+`87x|nnG+6
z{b(|BA>|KshybNB6HgE^(r>HD{*}S}m<qA!*hb9IzvC@5i1<u^W80An;lZADAm?KP
zko)m@6{ci~_>O>LuRGJT{*tfTzw_#+er-0${}%YPe@CMJ1Ng#j#)i)SnY@ss3gL;g
zg2D~#Kpdfu#G;q1qz_TwSz1VJT(b3zby$Vk&;Y#1(A)|xj`_?i5YQ;TR%jice5E;0
zYHg;`zS5{S*9xI6o^j>rE8Ua*XhIw{_-*&@(R|C(am8__>+Ws&Q^ymy*X4~hR2b5r
zm^p3sw}yv=tdyncy_Ui7{BQS732et~Z_@{-IhHDXAV`(W<!Q69%H#|w=%}3Kg=YWc
zt&hb~JKx8-xR1O(MbVHSG9)1(@!kVOhLD87%Fl_`7;R(RkjZ~i+x)8zFXU-77X{6f
zYPk%NpFBFvuuQH>lay<#hb>%H%WDi+K$862nA@BDtM#UCKMu+kM`!JHyWSi?&)A7_
z3{cyNG%a~nnH_!+;g&JxEMAmh-Z}rC!o7>OVzW&PoMyTA_g{hqXG)SLraA^OP**<7
zjWbr7z!o2n3hnx7A=2O=WL;`@9N{vQIM@&|G-ljrPvIuJHYtss0Er0fT5cMXNUf1B
z7FAwBDixt0X7C3S)mPe5g`YtME23wAnbU)+AtV}z+e8G;0BP=bI;?(#|Ep!vVfDbK
zvx+|CKF>yt0hWQ3drchU#XBU+HiuG*V^snFAPUp-5<#R&BUAzoB<hHU=m37G!KV!9
zs~61*+Hcg^$oOSo5g9ycnV9qCP&Q;3{o<yJQWFe=Yh1|Y)*C9d35V8SB$g)x4!&YT
z9d!w9=cZ#b{*g~^@EzhO7VrZ@nbuP0-lhv4I*V+9U65<q8FQ4Wa}XL)HtQO{P^VHi
zj-)s#FI|G`@U9{D_@sL{)yhu<Sb_Bt7ceo}s9YE~$iU7@K*Agnl+Zh7seWE5&R!S_
zCmI0O0@x~Z_p8Nlh6x&3>!aZ+e*KIxa26V}s6?nBK(U-7REa573wg-jqCg>H8~>O{
z*C0JL-?X-k_y%hpUFL?I>0WV{oV`Nb)nZbJG01R~AG>flIJf)3O*oB2i8~;!P?Wo_
z0|QEB*fifiL6E6%>tlAYHm2cjTFE@*<);#>689Z6S#BySQ@VTMhf9vYQyLeDg1*F}
zjq>i1*x>5|CGKN{l9br3kB0EHY|k4{%^t7-uhjd#NVipUZa=EUuE5kS1_~qYX?>hJ
z$}!jc9$O$>J&wnu0SgfYods^z?J4X;X7c77Me0kS-dO_VUQ39T(Kv(Y#s}Qqz-0AH
z^?WRL(4RzpkD+T5FG_0NyPq-a-B7A5LHOCqwObRJi&oRi(<;OuIN7SV5PeHU$<@Zh
zPozEV`dYmu0Z&Tqd>t>8JVde9#Pt+l95iHe$4Xwfy1AhI<n`R9oH@0SV-qw)kv`%>
zDM4XJ;bBTTvRFtW>E+GzkN)9k!hA5z;xU<Ypbch46*+?z6ODVueTOx78M~}ZZ>OL2
zq4}zn-DP{qc^i|Y%rvi|^5k-*8;JZ~9a;>-+q_EOX+p1Wz;>i7c}M6Nv`^NY&{J->
z`(mzDJDM}QPu5i4<c4By441WIqZqp>4**2Qbo(XzZ-ZDu%6vm8w@DUarqXj41VqP~
zs&4Y8F^Waik3y1fQo`bVUH;b=!^QrWb)3Gl=QVKr+6sxc=ygauUG|cm?|X=;Q)kQ8
zM(xrICifa2p``I7>g2R~?a{hmw@{!NS5`VhH8+;cV(F>B94M*S;5#O`YzZH1Z%yD?
zZ61w(M`#aS-*~Fj;x|J!KM|^o;MI#Xkh0ULJcA?o4u~f%Z^16ViA27FxU5GM*rKq(
z7cS~MrZ=f>_OWx8j#-Q3%!aEU2hVuTu(7`TQk-Bi6*!<}0WQi;_FpO;fhpL4`DcWp
zGOw9vx0N~6#}lz(r+dxIGZM3ah-8qrqMmeRh%{z@dbUD2w15*_4P?I~UZr^anP}DB
zU9CCrNiy9I3~d#&!$DX9e?A});BjBtQ7oGAyoI$8YQrkLBIH@2;lt4E^)|d6Jwj}z
z&2_E}Y;H#6I4<10d_&P0{4|EUacwFHauvrjAnAm6yeR#}f}Rk27CN)vhgRqEy<?cr
z6R5`U_Sc@<8Rnm)Sx4=ssMmH)((fLzBDe-8oZL2?8;gVE_E7eCE*q4brE|Rr5x0o2
z^Y;YlS3Tj6!|OE$_**V00k_c=V$Fb3v>PMMS7zvunj2?`f;%?alsJ+-K+IzjJx>h8
zu~m_y$!J5RWAh|C<6+uiCNsOKu)E72M3xKK(a9Okw3e_*O&}7llNV!=P87VM2DkAk
zci!YXS2&=P0}Hx|wwSc9JP%m8dMJA*q&VFB0yMI@5vWoAGraygwn){R+Cj6B1a2Px
z5)u(K5{+;z2n*_XD!+Auv#LJEM)(~Hx{$Yb^ldQmcYF2zNH1V30*)CN_<GsyFjVmb
zD)h_|Q}^G(^TxQkX_gf#v;s8zRbbF@HZgig3fX7Y_C%KW^4;Mzb1Q_mbv<K`san7p
zr<VAL=_8V?wGQ9W#OCB6w#j#s*xTCOq{>|1$v2|`LnFUT$%-tO0Eg|c5$BB~yDfzS
zcOXJ$wpzVK0MfTjBJ0b$r#_OvAJ3WRt+YOLlJPYMx~qp>^$$$h#bc|`g0pF-Ao43?
z>*A+8lx>}L{p(Tni2Vvk)dtzg$hUKjSjXRagj)$h#8=KV>5s)J4vGtRn5kP|AXIz!
zPgbbVxW{2o4s-UM;c#We8P&mPN|DW7_uLF!a|^0S=wr6Esx9Z$2|c1?GaupU6$tb|
zY<J=2bwPXwbBG}bpBO&`HtCU`sQ3|>_KU`(_29O_%k(;>^|6*pZURH3`@%EuKS;Ns
z1lujmf;r{qAN&Q0&m{wJSZ8MeE7RM5+Sq<f50&3KEB%;ap5IYu9&*^L3pcVFcAVGW
z04UqHZaI^y_@+2E#<{--P$9fmBw58@VQ=7%^zveD0O(QSrIoS+oGEl}3S0B`>;ul_
z`+ADrd_Um+G37js6tKsArNB}n{p*zTUxQ<D{*LSzTK#>r>3@wA;{EUbjNjlNd6$Mx
zg0|MyU)v`sa~tEY5$en7^PkC=S<2@!nEdG6L=h(vT__0F=S8Y&eM=hal#7eM(o^Lu
z2?<VnV9$|PdIge&&n55GFYu(+3gKo$EMBH)g%fG=d0l9?y&R{Xr=bU~d3k-ls||~Q
zdqZ2Ibd=svvcd-G9F6qP%UbDFL29x}6nCqava_&eR!Ou?Rs~d=hgF3;Q(KAtA|Qt@
z5PeHMC$T|!hzTOnXCt_0q;>^;05&|CNliYrq6gUv;|i!(W{0N)LWd*@{2q*u)}u*>
z7MQgk6t9OqqXMln?zo<KXCh}0JB2C8;d$OZ4?Q<ATC(JOVrvVRF?KkQ6^O&o2`<Q$
z-DPJRqChOl5!YowVXd(3%Ph16pi-d;JaH~r7U?lZJ2%#6uX=|Lcr}^Zli4ixQ1C%y
zu&(nSVW}d7kd1wVFUCOiEZW+4k^V(lOke1~%a8sQs^wAs8KLfUs=BxNe!(Y6_8ZZT
zCo;rs5WaGpeBh67<^|*xA#S65VbLU+e&jyIK!;_a^VJ`2wxD(4_GkoNZ>MAJcc<qR
zn=|0eY#rHX{fDEbS#wEN)PdQ$L3*RG1e}T^y9xXbBKsT-;}=KsEl9zS;lM1nZWo<>
zMKaof_Up})q#DzdF?w^%tTI7STI^@8=Wk#enR*)&%8yje>+tKvUYbW8UAPg55xb70
zEn5&Ba~NmOJlgI#iS8W3-@N%>V!#z-ZRwf<nAQuk$4XsbA2?xvz!lf8!A9&u)@oCJ
z>PO1)dQdQkaHsiqG|~we2ALqG7Ruup(DqSOft2RFg_X%3w?6VqvV1uzX_@F(diNVp
z4{I|}35=11u$;?|JFBEE*gb;T<e_J|zDJ1_W|BYXEUQsj_Ekmr-1GFuSJ!fD#Jwt6
z^IPIC_5NN>`dy+8gWJ9~pNsecrO`t#V9jW-6mnfO@ff9od}b(3<kFPLL`V`PrepA!
znVLswD&Ch_A#nGnS!pm`W^|6KlQj9e0x>s4>p0i30gbGIv~1@a^F2kl7YO;DxmF3?
zWi-RoXhzRJV0&XE@ACc?+@<sd-G9HF5dZ&*wEq(u_wO-RrDCaxC5-G7V)cvIY8~D$
zoG?hk!X_5=BuWn1Z*9@8ZV{ixBE=X&GGWu%bzo>6?)LQ2XNm4KfalMtsc%4!Fn0rl
zpHTrHwR>t>7W?t!Yc{*-^xN%9P0cs0kr=`?bQ5T*oOo&VRRu+1chM!qj%2I!@+1XF
z4GWJ=7ix9;Wa@xoZ0RP`NCWw0*8247Y4jIZ>GEW7zuoCFXl6xIvz$ezsWgKdVMBH>
z{o!A7f;R-@eK9V<P+C5DN?NK_qQ5=(jYExKglP|qB=@(M#QRp~t%BPwuyztnP9`ft
z1YRSG3otkYRhg1ElU)y#_?Pd>j7R40xx)T<2$?F2E<>Jy3F;;=Yt}WE59J!1WN367
zA^6pu_zLoZIf*x031CcwotS{L8bJE(<_F%j_KJ2P_IusaZXwN$&^t716W{M6X2r_~
zaiMwdISX7Y&Qi&Uh0upS3TyEIXNDICQlT5fHXC`aji-c{U(J@qh-mWl-uMN|T&435
z5)a1dvB|oe%b2mefc=Vpm0C%IUYYh7HI*;3UdgNIz}R##(#{(_<BD95FF;ZFGV&qz
z8Pn8EL}R(PV6KpLWp*(tnj`ERy@}m*TiM3BfE$7{gi4TPp(o3PTBV#018`5lT6LcC
z+PH<CSJwzhW!is6r}03ir}GTleL`F(Zdpu?5Nr&E5EjcwAj64ex8MP|*gW4nq?Q<t
z3@5`=_0esGb^Ece<ag$xQWKy^lIB?y(A?CgT;_3FV}1}aB!)jwA@T?(6XedlQ*(k9
zDadBI6m!U;qSg`{#7%mtl6VD&C{a5(&zN`4qOG(j4~hS{3H95A$%A5tpnCEbP+wqO
z>>82|zB0L*1i4B5j-xi9O4x10rs_J6*gdRBX=@VJ+==sWb&_Qc6tS<KlKZn<VwU!n
zLnOnI&WJ&J91(5%V9y=4Jq_eBfm9!BCKO-W6RKLW6dVby&S8C>OowM{BX@(zawtjl
zdU!F4OYw2@Tk1L^%~JCwb|e#3CC>srRHQ*(N%!7$Mu_sKh@|*XtR>)BmWw!;8-mq7
zBBnbjwx8Kyv|hd*`5}84flTHR1Y@@uqjG`UG+jN_YK&RYTt7DVwfEDXDW4U+iO{>K
zw1hr{_XE*S*K9TzzUlJH2rh^hUm2v7_XjwTuYap|>zeEDY$HOq3X4Tz^X}E9z)x4F
zs+T?Ed+Hj<#jY-`Va~fT2C$=qFT-5q$@p9~0{G&eeL~tiIAHXA!f6C(rAlS^)&k<-
zXU|ZVs}XQ>s5iONo~t!XXZgtaP$Iau;JT%h)>}v54yut~pykaNye4axEK#5@?TSsQ
zE;Jvf9I$GVb|S`7$pG)4vgo9NXsKr?u=F!GnA%VS2z$@Z(!MR9?EPcAqi5f<pK5;t
zb&cukw)8-|x31H1(Fj&i+kM40=Y04i9gus|j!y(ah9bVAH`yCx;#-MJ&6<Uo;364L
z>t)Iz6sNl`%kj+_H-X`R<>BFrBW=fSlD|{`D%@Rcbu2?%>t7i34k?Ujb)2@J-`j#4
zLK<69qcUuni<uOj0}C`gMaESz)GI|*Grst&fPD8oZr)bKc^}~YN0GER#uusn+Tc!q
zWrF<sBKhCak$)+P{0^qh)?a~|!fuAfcK>Ian-$A1+fR=?@+thwDIXtF1Tks@Br-xY
zfB+zblrR(ke`U;6U~-;p1Kg8Lh6v~LjW@9l2P6s+?$2!Z<IDB+yY4ox&h|I0y;-5?
z9m>RPX`(ZkRGe7~q(4&g<OcID-Zqc@__+obc6~O5DPU5>Ei<$ch`5kQ?*1=GSqkeV
z{SA1EaW_A!t{@^UY2D^YO0(H@+kFVzZaAh0_`A`f(}G~EP~?B|%gtxu&g%^x{EYSz
zk+T;_c@d;+n@$<>V%P=nk36?L!}?*=vK4>nJSm+1%a}9UlmTJTrfX4{Lb7smNQn@T
zw9<w{mDNj#YVY((v>p2%(Zjl^bWGo1;DuMHN(djsEm)P8mEC2sL@KyPjwD@d%QnZ$
zMJ3cnn!_!iP{MzWk%PI&D?m?C(y2d|2VChluN^yHya(b`h>~GkI1y;}O_E57zOs!{
zt2C@M$^PR2U#(dZmA-sNreB@z-yb0Bf7j*y<pBQ+k4*aVp?w`(S5_}b&kg4X@Sofy
zcqHS%!CX>ONhZG=onhx>t4)RB`<CY&xEoOnNq|`4TwO?Um+51s<NDq0^B>r6&TP$n
zgmN*)eCqvgriBO-a<gb-@gO7*f-;=;$N<27Yp)D7Ln4I)79>bHQ8ECN0bw?z5Bxpx
z=jF@?zFdVn?@gD5egM4o$m`}lV(CWrOKKq(sv*`mNcHcvw&Xryfw<{ch{O&qc<L-M
zVmpiaS&dR>#WCTXX6=#{MV@q#iHYba!OUY+MGeNTjP%Fj!WgM&`&RlI^=AWTOqy-o
zHo9YFt!gQ*p7{Fl86>#-JLZo(b^O`LdFK~OsZBRR@6P?ad^Ujbqm_j^XycM4ZHFyg
ziUbIFW#2tj`65~#2<ophCAkOZ($XwYEX-9Vd`-+%7JN?3GR#=*po_llExeP58!Yyh
zfBFZx*>V!4z7DM8Z;fG0|APaQ{a2VNYpNotB7eZ5kp+tPDz&Lqs0j%Y4tA*URpcfi
z_M(FD=fRGdqf430j}1z`O0I=;tLu81bwJXdYiN7_&a-?ly|-<ApEerJYO+vWo=kI`
z-rD}hhy8i~TGtoY4s6@Z3<13<OR9eqt4um=6eFf6$!!n)xzh=;tTHXN(UE;Xf=pU+
z`dE9RnW+)N$rd9fN@%&3A?!JdCd~nqX?>j*+=--XGvCq#32Gh(=|qj5F?kmihk{<M
zgEPC5kES)++<3TpUXV3Y3P48VdaIr-^IB0!+8~n0mjL`=xeqv8O-l|+H1rq)7sA{H
z^$*$;DIbhLHBWOj8khSs5o|aYh+3RPX=5iXJy_n`ZNI><Spn2FM>%M&$}udW5)DHK
zF_>}5R8&&API}o0osZJRL3n~>76nUZ&L&iy^s>PMnNcYZ|9*1$v-bzbT3rpWsJ+y{
zPrg>5Zlery96Um?lc6L|)}&{992{_$J&=4%nRp9BAC6!IB=A&=tF>r8S*O-=!G(_(
zwXbX_rGZgeiK*&n5E;f=k{ktyA1(;x_kiMEt0*gpp_4&(twlS2e5C?NoD{n>X2AT#
zY@Zp?#!b1zNq96MQqeO*M1MMBin5v#RH52&Xd~DO6-BZLnA6xO1$sou(YJ1Dlc{WF
zVa%2DyYm`V#81jP@70IJ;DX@y*iUt$MLm)ByAD$eUuji|5{ptFYq(q)mE(5bOpxjM
z^Q`AHWq44SG3`_LxC9fwR)XRVIp=B%<(-lOC3jI#bb@dK(*vjom!=t|#<@dZql%>O
z15y^{4tQoeW9L<H_624p3-b_rHm8YIC$k6&3$GlwdQslWx5!&!3m}i*?tl5@6;yzj
zoc!Vo*Hbq)-jJ59Sg;T*C)b6<j+VKKLixts|L96bm4=Is0j?L(vXBm$urwF-{$0-V
z<$e6HsrcrOqq`p)uFW!qJ}rO<YKXdHxyO`G#Bia+f>u%G&V$90x6F)xN6y_oIn;!Q
zs)8jT$;&;u%Y>=T3hg34A-+Y*na=|glcStr5D;&5*t5*DmD~x;zQAV5{}Ya`?RRGa
zT*t9@$a~!co;pD^!J5bo?lDOWFx%)Y=-fJ+PDGc0>;=q=s?P4aHForSB+)v0WY2JH
z?*`O;RHum6j%#LG)Vu#ciO#+jRC3!>T(9fr+XE7T2B7Z|0nR5jw@WG)kDDzTJ=o4~
zUpeyt7}_nd`t}j9<K48+u@DhA3`4r+FJ677MR6&8E4f2zla%l|D9N*11$;?agx3`X
zQKMo3I0~ZlYkbWEu`x`yJ@krOwxENL$Rt=$8{!>BKqryOha{34erm)RmST)_9Aw)@
zHbiyg5n&E{_CQR@h<}34d7WM{s{%5wdty1l+KX8*?+-YkNK2Be*6&jc>@{Fd;Ps||
z26LqdI3#9le?;}risDq$K5G3yoqK}C^@-8z^wj%tdgw-6@F#Ju{Sg7+y)L?)U$ez>
zoOaP$UFZ?y5BiFycir*pnaAaY+|%1%8&|(<reOyuH4oC{Ih*Lwy|NYzPCQRQ`ehMF
zEg-;Objn(%#1qC@!zAnKQl4zHMlo)Q+E4pW2QKLde|EyLnXTvQOMSI7T)74sZOfHC
z#$kL6q5^qb8eY0TS0xZc5`Q++ann{Wm9&lnoQ^h6%~gFm-4lj+U9&Zp#WzNXX62+9
zmFZ)1ML^9;#Ht15k!kkQ%3qdk7S&owgs=Ge>@VB)zweR%?IidwJyK5J!STzw&2RFx
zZV@qeaCB01Hu#U9|1#=Msc8Pgz5P*4Lrp!Q+~(G!OiNR{qa7|r^H?FC6gV<apFHH!
zvPyd+`3A>hkk3y7=uW#Sh;&>78bZ}aK*C#NH$9rX@M3f{nckYI+5QG?Aj1DM)@~z_
zw!UAD@gedTlePB*%4+55naJ8ak_;))#S;4ji!LOqY5VRI){GMwHR~}6t4g>5C_#U#
ztYC!tjKjrKvRy=GAsJVK++~$|+s!w9z3H4G^mACv=EErXNSmH<U!EM^MvZ)wb9KT%
z#OZQ%D1oeCN~H?$e4PM)Oo0Nf#@aY_z^1AJ$yBSx5w>7qN}%PKcN|8%9=i)qS5+$L
zu&ya~HW%RMVJi4T^pv?>mw*Gf<)-7gf#Qj|e#w2|v4#t!%Jk{&xlf;$_?jW*n!Pyx
zkG$<18kiLOAUPuFfyu-EfWX%4jYnjBYc~~*9JEz6oa)_R|8wjZA|RNrAp%}14L7fW
zi7A5Wym<E#i_(~)bst!ffFAM+k<@$mzUh70rTL<McKqdHe%2p~vi~IR0fXQ|S)y{r
z;Wp!8-s^RV8y06<5VY%~W5!C@67mJ2juFL?Aei!n9$#?Mxz(e*!?C%d!S^;<NyuK;
z=jOZo@63!X2t3{<2mbRO+M4mhSli$HyTwM2v=i7dSS7zmGorTVUNCfrp5V7W@5-EM
z9Ys`dT15QQomjL6GHVaWEvXi+QV5957MiWw!x~2qrLvvTs8)?0#wqmp4@3O@LG<r!
zk6}xyfn=$w96=KT^BPtNWe<ruqW3j0;LxgBeA49=6TD<@C_{gG$<X&CyDE03IM5)z
zgD@jrZu<T4d;HFH;~S7D52VZ#%z-INbhoB9d^{Iug5R?T=;fLQ(uh#mu6u`Ha62Gc
zoH09p_pkWwHF6o$jc2wh?8ZJGKMj7F>*<L$XY6i+<~=c|V{+>K+V8pkqq<QnfGNr(
zou6uoQ0mUzl`senrxj^LkjsGe;0#a$G>O-X#3ft{0qs?KVt^)?kS>AicmeO&q+~J~
z<sSV8bNrd3A9xC%f$yWrWh#?+O1^-<;70xvO=?7-Uc1E*o02qDCg>p0YJ_P~_a8j=
zsAs~G=8F=M{4GZL{|B__UorX@MRNQLn?*_gym4aW(~+i13knnk1P=khoC-ViMZk+x
zLW(l}oAg1H`dU+Fv**;qw|ANDSRs<RLAc%!hUu-WqF+F5Oeq^z)6;J*CN3_IJ2Nxe
z-;V6)AOdQ4T2Ukyh0P^3nCpm=n$E*LwA)q6EHoozsz{aE^r+ehzxp>>cGqL!Yw^`;
zv;{E&8CNJcc)GHzTYM}f&NPw<6j{C3gaeelU#y!M)w-utYEHOCCJo|Vgp7K6C_$14
zqIrLUB0bsgz^D%V%fbo2f9#yb#CntTX?55X<qx;!okXD~axKjmLH&*OdaOWEc{H0%
zi0MH-X|Jusi;#0rf&N*g-GE;RD$1qdO=oS*<<v&3;DB9~Mn>y|Kps&Xek*4_r=KDZ
z+`TQuv|$l}MWLzA5Ay6C<xwUE$SDueIt18G;rIq+PKrqK)-e%dH7kKgSCZrM6VWd%
zl2lnN?N}w!k%oj}Sb=F~WfJ?Oq-~KxZEt%C$Km;<HWP-Far<SWJWbkJ@m6yOcWFyW
z_Q8799P2jX-Hi_v*fxw=bGS(JHHq<82FgsB@wT053kvhY`h#<lj?p)b>vsa^7x<Dm
z7*W`&66pKXgHH%Ml6<<#8|Qv`3H|XpxHPw;J1j{B-l=VGuJ@O>vwXpy?`w(6vx4XJ
zWuf1bVSb#U8{xlY4<q^>+wlZ$9jjPk)X_;NFMqdgq>m&W=!KtP+6NL57`AMljW+es
zzqjUjgz;V*kktJI?!NOg^s_)ph45>4UDA!Vo0<s{;e|6~VP^gWUU3XjQk;=Xix6pU
zwO|=D;X5iLwh8JKU!FTBb9nZax_m$0O`m}PntuM|vT@{$W}A^6FgT)aaou}yP9OHt
z+BRQkg}S5r2LiCLG|3XarntT@bLzkEQWF1j1PB<L*g6>hn>KZ+h-3=?Y3*R=#!fOX
zP$Y~+14$f66ix?UWB_6r#fMcC^~X4R-<&OD1CSDNuX~y^YwJ>sW0j`T<2+3F9>cLo
z#!j57$ll2K9(%$4>eA7(>FJX5e)pR5&EZK!IMQzOfik#FU*o*LGz~7u(8}XzIQRy-
z!U7AlMTIe|DgQFmc%cHy_9^{o`eD%ja_L>ckU6$O4*U**o5uR7`FzqkU8k4gxtI=o
z^P^oGFPm5jwZMI{;nH}$?p@uV8FT4r=|#GziKXK07bHJLtK}X%I0TON$uj(iJ`SY^
zc$b2CoxCQ>7LH@nxcdW&_C#fMYBtTxcg46dL{vf%EFCZ~eErMvZq&Z%Lhumnkn^4A
zsx$ay(FnN7kYah}tZ@0?-0Niroa~13`?hVi6`ndno`G+E8;$<6^gsE-K3)TxyoJ4M
zb6pj5=I8^FD5H@`^V#Qb2^0cx7wUz&cruA5g>6>qR5)O^t1(-qqP&1g=qvY#s&{bx
zq8Hc%LsbK1*%n|Y=FfojpE;w~)G0-X4i*K3{o|J7`krhIOd*c*$y{WIKz2n2*EXEH
zT{oml3Th5k*vkswuFXdGDlcLj15Nec5pFfZ*0?XHaF_lVuiB%Pv&p7z)%38}%$Gup
z<b3uaN}F=Gim_ol$%3|sHjkH6w3NkSvTNg|$pNIrx_?n%{%+0R`;99PC4<xOluBpR
zU2O5CB{+faJ?d^o`6UNaOpdi{6Wxcn#ldUE@c7sS0hQ<d1bwc@5-Mup64Y_byI5~E
ze(1Scv9rryWVG=>VTa~C8=cw%6BKn_|4E?bPNW4PT7}jZQLhDJhvf4z;~L)506IE0
zX!tWXX(QOQPRj-p80QG79t8T2^az4Zp2hOHziQlvT!|H)jv{Ixodabzv6lBj)6WRB
z{)Kg@$~~(7$-az?lw$4@L%I&DI0Lo)PEJJziWP33a3azb?jyXt1v0N>2kxwA6b%l>
zZqRpAo)Npi&loWbjFWtEV)783BbeIAhqyuc+~>i7aQ8shIXt)bjCWT6$~ro^>99G}
z2<k!)pJyc8u<yVadbWX)2!_&!K=lyrD}wj>XfmT0(|l!)XJb^E!#3z4oEGIsL(xd;
zYX1`1I(cG|u#4R4T&C|m*9KB1`UzKvho5R@1e<V*TeB>YtUL9B72{i(ir&ls8g!pD
ztR|25xGaF!4z5M+U@@lQf(12?xGy`!|3E}7pI$k`jOIFjiDr{tqf0va&3pOn6Pu)%
z@xtG2zjYuJXrV)DUrIF*y<1O1<$#54kZ#2;=X51J^F#0nZ0(;S$OZDt_U2bx{RZ=Q
zMMdd<UQ`729gV*taE)yo&7I6$j1|A$UbHd&qQG|gUmni?yhum!iv{x|f0(p56<HNE
z{|r}=llKTf(UnY3B_)-{B&Ilhl?!Gt;#{A!Ik&y#y&po8@}lQ?&FRcs-Q>$fH|!s{
zXq#l;{`xfV`gp&C>A`WrQU?d{!Ey5(1u*VLJt>i27aZ-^&2IIk=zP5p+{$q(K?2(b
z8?<F{C+DO@u0&46j?yJ2$y`_qSmA<f41gBg&6I6Bc4WTi!On@`Kfs@;Mf4<#yYH%S
z3%=-9Vz2=GO0viySb&ugf@Mk8Vrw0#wF<}kN;VR}yEW9MNABqR`RZL=RHtZ4%8@`Y
zp#Ny|%!HB2ZzUgfDe)Mtj<}lnsKm*hSbL^-xJDeWiDv0GDklMm@t>9h)kvj9SF!Dr
zoyF}?V|9;6abHxWk2cEvGs$-}Pg}D+ZzgkaN&$Snp%;5m%zh1E#?Wac-}x?B<FLY5
z^#|qyQLq|K>YlGN#U#Mek*}kek#I9XaHt?mz3*fDrRTQ#&#~xyeqJk1QJ~E$7qsw6
z?sV;|?*=-{M<1+hXoj?@-$y+(^<DUw2Jr;Zm>BJ1H~wQ9G8C<M!|<37p=^5w$PQ1k
zI75RU({o}zBXPvTFlczyZ!+pcQxRXL4k5~P@IP4UP@{7*ml`gS8j=i(N(J0~3#|$W
z#`Dx?eM5{^y|kSL=^5rzID`fXlPhQ2@)omgy?3h*!>0#^aEAyhDduNX@haoa=PuPp
zYsGv8UBfQaRHgBgLjmP^eh>fLMeh{8ic)?xz?#3kX-D#Z{;W#cd_`9OMFIaJg<n@h
zIvM{(1~1i4U6GYhKf4MAnWumaiROMvmVJ+(p3e<6pce!gGy~U5HS%XPE9#Jf<W#m+
zb_QyVUZ<wCu_xG@9z9_*)RPK9x8IJ=-v7b-iuW|s!`IbP-rnHkSc}B#!RFNU;ClVO
zdDxXw<Lhw^{LS*V&7Z-qDtQxaWnLp+HwMlupdACRzR5|WWj`ztVcQA@+RUVWll~zq
z{qn?RDyo>-=t`_3*!YDgtNQ2+QUEAJB9M{~AvT$H`E)IKmCR21H532+ata8_i_MR@
z2Xj<3w<`isF~Ah$W{|9;51ub*f4#9ziKrOR&jM{x7I_7()O@`F*5o$KtZ?fxU~g`t
zUovNEVKYn$U~VX8eR)qb`7;D8pn*Pp$(otYTqL)5KH$lUS-jf}PGBjy$weoceAcPp
z&5ZYB$r&P$MN{0H0AxCe4Qmd3T%M*5d4i%#!nmBCN-WU-4m4Tjxn-%j3HagwTxCZ9
z)j5vO-C7%s%D!&UfO>bi2oXiCw<-w{vVTK^rVbv#W=WjdADJy8$khnU!`ZWCIU`>#
zyjc^1W~pcu>@lDZ{zr6gv%)2X4n27~Ve+cQqcND%0?IFSP4sH#yIaXXYAq^z3|cg`
z`I3$m%jra>e2W-=DiD@84T!cb%||k)nPmEE<W?@Vxzv1;a$T#%C913?i}`t+rADo#
zC7TuHDW#@wx#E3b<A)T6uJ>09NC%@PS_OLhkrX*U!cgD*;;&gIaA(DyVT4QD+q_xu
z>r`tg{hiGY&DvD-)B*h+YEd+Zn)WylQl}<4>(_NlsKXCRV;a)Rcw!wtelM2_rWX`j
zTh5A|i6=2BA(iMCnj_fob@*eA;V?oa4Z1kRBGaU07O70fb6-qmA$Hg$ps@^ka1=RO
zTbE_2#)1bndC3VuK@e!Sftxq4=Uux}fDxXE#Q5_<FeRxZ5dX0w7NJ1YRHU#Z$BTr$
z`)wN5bJJ+RrkSP-+5&DxF;{yTydOK?&E@|n6{$zZ<l<h_OVq<pLy3}Cs(@^!AKS3v
zs^%D02yP?T1JsVkG_$W1M_(HQj2}0PQ({upTh0DEflgHzkrq_3uQ#o~Xh$r*Hn#XK
z%fUd@E{I)?SYMJGeI}L~)B<FkO~@J|q(Wd60IQ&6Okb!cr?;u~jpWb%H+9jmSrjds
z{3hpy8rDopSBZ_GusW_B)^$dTmE4P&V_Eb^Ih;|L<NY!D5GPH#JeEzeTh$HO@A|Fn
zRc*;Ma?FBd&3c(9Zt!qaZlR5|nMqGrA2Lj7O7tMpWmQy_rjuK|B)Gc_ouOQrj6wEz
z32X<-{ytN?=>x=E1h>T5`D<dtR&xu@*|Ta7Hd8EJn!lw8o@cR!8z8eO@)Vx=X>PHz
zbH<_OjWx$wy7=%0!mo*qH*7N4tySm+R0~(rbus`7;+wGh;C0O%x~fEMkt!eV>U$`i
z5<d_k7|L{*P&u(7rQp7047h3UbY|wjh)RQP$TKl{D0~b7ZKVczu31g*{+{-g>>Q(o
z=t$<p=<~hN1+_h{HfNMhdBWq=6u*-jH!6viz%~sWI#`^RvV~7ac*8S<+(K#fxEe_p
zLbZpanYgH()OwCJr$ckxd~mD)xi7!XCK7P^_y9>gPjgGh0&I7KY#k50V7DJRX<%^X
z>6+ebc9efB3@eE2Tr){;?_w`vhgF>`-<wt92+tk>GDY(YkR{9RH(MiCny<y~1rmBT
z=dU8?rS7ETruzC)etiYZ9@H0U1&xhKdLlcsjIHpes0+3l0*A?A>Rtd!LxXJ75z+?2
zGi<cz0hpHP10;3BfW^UbK|?i^ifVMhOM5tgNDo@PRVaec;GG(&PVVC}!WSnGP1++_
zj7X7}wOo$N4wU`G{9dEHd)iC0+__;{cSTS$w5A&CA{~0{tkn5{Q%AiVsW(Kt{2;Uv
zBC}hb{rgu(YvCPnHSS0;+<C*VukDNqo3wS450JI-3281)fjd<)Bk-Ox`5w9XCzwi@
zp&5d0zI5lIy4<1UjOMJL%mwKt$VX@f5Kf1<C;xU5aS>@m^+2hKJ5sB<T$2V@SQod{
zRaF6_FrEJ05N9c3f!q*;Z05ZmkiEaIoL}q&R~{c5{BIXr)9*1zAB!J$KA+W@@dk7V
zW5l1MLb$_c=9n*)B;obV;jd(QuL`!dk1d-7e1RQ0`^&R)nTJ0daa%iDe~{YM@Qnb3
zu*hzH_KKQq>1@Xi@s_@p_Kwbc<*LQ_`mr^Y%j}(sV_$`J(?_FWP)4NW*BIL~sR>t6
zM;qTJZ~GoY36&{h-Pf}L#y2UtR}>ZaI%A6VkU>vG4~}9^i$5WP2Tj?Cc}5oQxe2=q
z8BeLa$hwCg_psjZyC2+?yX4*hJ58Wu^w9}}7X*+i5Rjqu5^@GzXiw#SUir1G1`jY%
zOL=GE_ENYxhcyUrEt9Xl<FD`E@a9>MNP6kx6h&%6^u3@zB8KUCAa18T(R2J`%JjWZ
z!{7cXaEW+Qu*iJPu+m>QqW}Lo$4Z+!I)0JNzZ&_M%=|B1yejFRM04bGAvu{=lNPd+
zJRI^DRQ(?FcVUD+bgEcAi@o(msqys9RTCG#)TjI!9~3-dc`>gW;HSJuQ<oHtTsmp-
zg)H_2N1wZGNAu6O_Xn(AY+RFAJ-6Mm_93j!W*X|0Ye@4;iY+s6<0b5MjXzo`6IJyz
zLtv`iatXFp+bzc4T?oIjwG<wve*Pc~KpyZ4DKvxF$C%dvH*(Xtf=8k-_oIQotfRTq
zi_<6B=B}307o+ji?B_%DCS{<<$aaC|iJtV&+ZKYGhX!7=v>vH~d`MQs86R$|SKXHh
zqS9Qy)u;T`>>a!$LuaE2keJV%;8g)tr&Nnc;EkvA-RanHXsy)D@XN0a>h}z2j81R;
zsUNJf&g&rKpuD0WD@=dD<sR9w8N7Z}d}V2@hrPnkI(}2BnH&b8WlGN_J`E#!LaROL
zT6x>rPHdBoK42WoBU|nMo17o(5^;M|dB4?|FsAGVrSyWcI`+FVw^vTVC`y}f(BwJl
zrw3Sp151^9=}B})6<JlvqOAvKIjM>@H*i4-dIN_o^br+BkcLa^H56|^2XsT0dESw2
zMX>(KqNl=x2K5=zIKg}2JpGAZu{I_IO}0$EQ5P{4zol**PCt3F4`GX}2@vr8#Y)~J
zKb)gJeHcFnR@4SSh%b;c%J`l=W*40UPjF#q{<}ywv-=vHRFmDjv<xPiJ;i|>)NtmC
zQx9qm)d%0zH&qG7AFa3VAU1S^(n8VFTC~Hb+HjYMjX8r#&_0MzlNR*mnLH5hi}`@{
zK$8qiDDvS_(L9_2vHgzEQ${DYSE;DqB!g*jhJghE&=LTnbgl&Xepo<*uRtV{2wDHN
z)l;Kg$TA>Y|K8Lc&LjWGj<+bp4Hiye_@BfU(y#nF{fpR&|Ltbye?e^j0}8JC4#xi%
zv29ZR%8%hk=3ZDvO-@1u8KmQ@6p%E|dlHuy#H1&MiC<*$YdLkHmR#F3ae;bKd;@*i
z2_VfELG=B}JMLCO-6UQy^>RDE%K4b>c%9ki`f~Z2Qu8hO7C#t%Aeg8E%+}6P7Twtg
z-)dj(w}_zFK&86KR@q9MHicUAucLVshUdmz_2@32(V`y3`&Kf8Q2I)+!n0mR=rrDU
zXvv^$ho;yh*kNqJ#r1}b0|i|xRUF6;lhx$M*uG3SNLUTC@<I49P80xma07<{`YgPN
z)(Ac#bc{dhY#Cu3)v`Q}DZFuLMQN2u7xe+7PIX*m0qDp<6Jkno{rglXV)U;4>|htC
z-=fsw^F%$qqz4%QdjBrS+ov}Qv!z00E+JWas>p?z@=t!WWU3K*?Z(0meTuTOC7OTx
zU|kFLE0bLZ+WGcL$u4E}5dB0g`h|uwv3=H6f+{5z9oLv-=Q45+n~V4WwgO=CabjM%
zBAN+RjM65(-}>Q2V#i1Na@a0`08g&y;W#@sBiX6Tpy8r}*+{RnyGUT`?XeHSqo#|J
z^ww~c;ou|iyzpErDtlV<Y_SCc(_7{}MrPO4rVB@7&Rjy#O2fj5to>U=`8N7JSu>4M
z_pr9=tX0edVn9B}YFO2y(88j#S{w%E8vVOpAboK*27a7e4Ekjt0)hIX99*1oE;vex
z7#%jhY=bPijA=Ce@9rRO(Vl_vnd00!^TAc<+wVvRM9{;hP*rqEL_(RzfK$er_^SN;
z)1a8vo8~Dr5?;0X0J62Cusw$A*c^Sx1)dom`-)Pl7hsW4i(r*^Mw`z5K>!2ixB_mu
z*Ddqjh}zceRFdmuX1akM1$3>G=#~|y?eYv(e-`Qy?bRHIq=fMaN~<jAL}PWcQidRH
zK2yekhS2Lj<8?b`xr58UAX4(T5E1^L&whVF<i9Q^ij@9ed9E_ifd+pE6vaZ5Ry#aY
zA}&HXAstN0LhSxhPG&s*OQPG{+rA08*@HqCho1SsE9gc)wqnJnfgB2HU^I0xnVxj*
zX4m!g{s6*{GQ|W6M46yH&8H0KRHzB%Hb1+zmame~q)Ue3wp6C<-<ZZK_M)*8T|>fB
zUa6I8Rt=)jnplP>yuS+P&PxeWpJ#1$F`iqRl|jF$WL_aZFZl@kLo&d$VJtu&w?Q0O
zzuXK>6gmygq(yXJy0C1SL}T8AplK|AGNUOhzlGeK_oo|haD@)5PxF}rV+5`-w{Aag
zus45t=FU*{LguJ11Sr-28EZkq;!mJO7AQGih1L4rEyUmp>B!%X0YemsrV3QFvlgt*
z5kwlPzaiJ+kZ^PMd-RRbl(Y?F*m`4*UIhIuf#8q<Nz@soPkY1ALkT*eHhnbbIB_gT
zwEAmPh9_mjMLG@Ns1qCf8u)<9ISwg$Bqf?2y^HBtk5P?|2w6>>H_M=fM*L_Op-<_r
zBZagV=4B|EW+KTja?srADTZXCd3Yv%^Chfpi)cg{ED${SI>InNpRj5!euKv?=Xn92
zsS&FH(*w`qLI<rdK|7Qb<c1TJj-yb9%q!4Kl-gZhZ0&i~?1Smlus~@u79ojelr}e=
z=(jH{&~FQJuR)VS@A!!<bs@smdUy8&t|3w(Ru!w~g8*dFaH0ct>y$doc>RE&A5R?u
zzkl1sxX|{*fLp<pkJUphzMYHr37AZg0<9Q!);Dms#VK@7w$(ZE_TiLt!QccO&=fNh
z83;??=IfxriuU6rn*5zF)5oJ^dWG?|gwh&}q9z`cmSZSRKGM<9JUXgj2HP@ki@EyB
zPj?ggbGP#(J(EMkDShSp(c?_>XvIW>9d<$ePROttn3oc6R!sN{&Y+>Jr@yeQN$sFR
z;w6A<2-0%UA?c8Qf;sX7>>uKRBv3Ni)E9pI{uVzX|6Bb0U)`lhLE3hK58ivfRs1}d
zNjlGK0hdq0qjV@q1qI%ZFMLgcpWSY~mB^LK)4GZ^h_@H+3?dAe_a~k*;9P_<R7XN(
z&HGNI!PYhVXyq^_=bMf}N6^ok_FD5wiKI-2%nC=ATeOPtc<W3f4qR0C>d7%NEFP6+
zgV(oGr*?W(ql?6SQ~`lUsjLb%MbfC4V$)1E0Y_b|OIYxz4?O|!kRb?BGrgiH5+(>s
zoqM}v*;OBfg-D1l`M6T6{K`LG+0dJ1)!??G5g(2*vlNkm%Q(MPABT$r13q?|+kL4-
zf)Mi5r$sn;u41aK(K#!m+goyd$c!KPl~-&-({j#D4^7hQkV3W|&>l_b!}!z?4($OA
z5IrkfuT#F&S1(`?modY&I40%gtroig{YMvF{K{>5u^I51k8RriGd${z<Y3I3im=|8
z%$wv|wOEi8mu|yn0sn9E+Qi~7!OCIls-XU^J6|DHO_&{OHFY6TnAa~}E2>)=5k2tG
zM|&Bp5kDTfb#vfu<Z8(fb`i1z5wam|g63@h@f<+rCe0^)xyy?F)?N0$kWv4tqkpY=
z|3gMq{41bNQKPxivJ4dRDGYL+wvozbM|9~2fRq%3DHYS}cYPOyWb;?dy#H5(Ih0qD
zkVJkMZ*Py0(6NmwNO)Lq$X1r;R}D>TTd?)a=>bX=lokw^y9+2LS?kwHQIWI~pYgy7
zb<qS%zT{Z;-?o6LsXKA|-3BgzAw}ClH1epD-+P;mIUo2I{0lLes<XJMvzg#Bbe7DY
zG_Uq)WFe{s;pIJbW*B(HF<&(BRKZq@PN5oU9?D1X>?A-RKVm_vM5!9?C%qYdfRAw&
zAU7`up~%g=p@}pg#b7E)BFYx3g%(J36Nw(Dij!b>cMl@CSNbrW!DBDbTD4OXk!G4x
zi}JBKc8HBYx$J~31PXH+4^x|UxK~(<@I;^3pWN$E=sYma@JP|8YL`L(zI6Y#c%Q{6
z*APf`DU$S4pr#_!60BH$FGViP14iJmbrzSrOkR;f3YZa{#E7Wpd@^4E-zH8EgPc-#
zKWFPvh%WbqU_%ZEt`=Q?odKHc7@SUmY{GK`?40VuL~o)bS|is$Hn=<=KGHOsEC5tB
zFb|q}gGlL97NUf$G$>^1b^3E18PZ~Pm9kX%*ftnolljiEt@2#F2R5ah$zbXd%V_Ev
zyDd{1o_uuoBga$fB@Fw!V5F3jIr=a-yk<G{P%>qrK?WWZ#a(bglI_-8pq74RK*KfQ
z0~Dzus7_l;pMJYf>Bk`)`S8gF!To-BdMnVw5M-pyu+aCiC5dwNH|6fgRsIKZcF&)g
zr}1|?VOp}I3)IR@m1&HX1~#wsS!4iYqES<Oq!z^aMIT{Q??S@v&*GbF7q97kSl@?K
zC$z`Bzx+I?h3E?|U&YSk%hU7kC(QpfpZ+&mhLZFbpGNmFX*V`jC*LO2kmEO_Z~=`>
zK}4J{Ei>;e3>LB#Oly>EZkW14^@YmpbgxCDi#0RgdM${&wxR+LiX}B+<h)+#yyKdg
zysFvW_W7nZ&<-(uGY@AGZ5D2!%>iRioOB0(pDKpVEI;ND?wNx>%e|m{RsqR_{(nmQ
z3ZS}@t!p4a(BKx_-CYwrcyJ5u1TO9bcXti$8sy>xcLKqKCc#~UOZYD{llKTSFEjJ~
zyNWt>tLU}*>^`TvPxtP%F`ZJQw@W0^>x;!^@?k_)9#bF$j0)S3;mH-IR5y82l|%=F
z2lR8zhP?XNP-ucZZ6A+o$xOyF!w;RaLHGh57GZ|TCXhJqY~GCh)aXEV$1O&$c}La1
zjuJxkY9SM4av^Hb;i7efiYaMwI%jGy`3NdY)+mcJhF(3XEiSlU3c|jMBi|;m-c?~T
z+x0_@;SxcoY=(6xNgO$bBt~Pj8`-<1S|;Bsjrzw3@zSjt^JC3X3*$HI79i~!$RmTz
zsblZsLYs7L$|=1CB$8qS!tXrWs!F@BVuh?kN(PvE5Av-*r^iYu+L^j^m9JG^#=m>@
z=1soa)H*w6KzoR$B8mBCXoU;f5^bVuwQ3~2LKg!yxo<XQ$IAc;ya0F4IP5hmZW0n(
zeoH>mG1#XPmn(?YH<r<yFVclsbGRF9L2n2S9>@E~_ED+W6mxs%x{%Z<$pW`~ON<jr
zb@Rh%`t#?I<L3yZl{J^|&N^NYcBZh%My>1~2XjP5v(0{C{+6Dm$00tsd3w=f=ZENy
zOgb-=f}|Hb*LQ$YdWg<(u7<GTVlvJ^WI42~hhU2v*|!uo(`G=2+{}i#sqV$xDASf<
z@BJ)K+GlMseqK(xbd0N8;flrWX{U|f6iVUhp2C8U6V%`<#w1zFsPHlj&@qhoQ^=nF
z6v6aigM_Vb$5&}LkM25m&fIkuPtbE8{LAP5`M)3J|2(|M4gtoWqx*l9ndfm(jDdbS
z;F;wqL8@O#jzJ_!L@a8Vr=(ty%9Ya<&mYkPK-upKKzu>x3`PKF)B7ZfZ6;1FrNM63
z?O6tE%EiU@6%rVuwIQjvGtOofZBGZT1Sh(xLIYt9c4VI8`!=UJd2BfLjdRI#SbVAX
ziT(f*RI^T!IL5Ac>ql7uduF#nuCRJ1)2bdvAyMxp-5^Ww5p#X{rb5)(X|fEhDHHW{
zw(Lfc$g;+Q`B0AiPGtmK%*aWfQQ$d!*U<|-@n2HZvCWSiw^<SosZid&Mq7{pz6&V3
zd@R%+SsepGL-*aKdhzR%Vvbs43uAoIdC_3qKoUK@QdY*}5w2umG!7DWQeEKlHV6q$
z_Vh)Q-FM<!WD1@h?zMdvF;}=nMKN{e&z-e2q1E@fiAqu40_=<UFNQe-L84I;Y_c%j
zXOf_0V-dW;=^lZ_p{hCK<*1Qn9RCXL-o=HCfl~b1_&}HQrR3DMhN0xaXs&X+H^PhX
zjG$NyjtoK3(r=AP7}oP%4fb^}B?XNlaB{n~xP1Xi9IZ>I>#vh+LyC;aaVWGbmkENr
z&kl*8o^_FW$T?rDYLO1Pyi%>@&kJKQoH2E0F`HjcN}Zlnx1ddoDA>G4Xu_jyp6vuT
zPvC}pT&Owx+qB`zUeR|4G;OH(<<^_bzkjln0k40t`PQxc$7h(T8Ya~X+9gDc8Z9{Z
z&y0RAU}#_kQGrM;__MK9vwIwK^aoqFhk~dK!ARf1zJqHMxF2?7-8|~yo<mfEO9=@^
zS^!0=f8b>O@_~Ed;_wvT%Vs{9RK$6uUQ|&@#6vyBsFK9eZW1Ft#D2)VpQRwpR(;x^
zdoTgMqfF9iBl%{`QDv7B0~8{8`8k`C4@cbZAXBu00v#kYl!#_Wug{)2PwD5cNp?K^
z9+|d-4z|gZ!L{57>!Ogfbzchm>J1)Y%?NThxIS8frAw@z>Zb9v%3_3~F@<=LG%r*U
zaTov}{{^z~SeX!qgSYow`_5)ij*QtGp4lvF`aIGQ>@3ZTkDmsl#@^5*NGjOuu82}o
zzLF~Q9SW+mP=>88%eSA1W4_W7-Q>rdq^?t=m6}^tDPaBRGFLg%ak93W!kOp#EO{6&
zP%}Iff5HZQ9VW$~+9r=|Quj#z*=YwcnssS~9|ub2>v|u1JXP47vZ1&L1O%Z1Ds<y1
zKGhYGqMl$%q``Pf)AeU^htE>OrDfSIMHU{VT>&>H=9}G3i@2rP+rx@eU@uE8rJNec
zij~#FmuEBj03F1~ct@C@$>y)zB+tVyjV3*n`mtAhI<Hd#M@#m|U%%fPzKpS=8^jh0
zL8{$eQBGDxNs#cZ9W_F*%I@t0Ecr241+VZB`dP=cQbRx5C6V0E8hva(E`B^pdHgL|
z{&5>M0$58vM9jOQC}JJOem|EpwqeMuYPxu3sv}oMS?S#o6GGK@8PN59)m&K4Dc&X%
z(;XL_kKeYkafzS3Wn5DD>Yiw{LACy_#jY4op(>9q>>-*9@C0M+=b#bknAWZ37^(Ij
zq>H%<@>o4a#6NydoF{_M4i4zB_KG)#PSye9bk0Ou8h%1Dtl7Q_y#7*n%g)?m>xF~(
zjqvOwC;*qvN_3(*a+w2|ao0D?@okOvg8JskUw(l7n`0fncglavwKd?~l_ryKJ^Ky!
zKCHkIC-o7%fFvPa$)YNh022lakMar^dgL=t#@XLyNHHw!b?%WlM)R@^!)I!smZL@k
zBi=6wE<uBK&#|s)0id-YUbF|8EPGSGH#_Nnlfmnx-A{yYewA#u&;8}f{mZTU`V%Vx
zw+kY#P{Vftbb_Kx6Y^&ExMgX^Mv0aE2ugq_I13BLg;kULC8h9=4mjSmMlD_q9Weew
zQP6=zR=$<}g~zzw5d*9AxF4p1bS)})m*Am0;N4P5h;=f3SqJHg(}O<h%;?&y!q3aJ
zM0lZW!Y2FVPfVs5!A8r2PY%jXR;(thZCy+-4If<jrsBG5eyH8BP$MdVS}wcThQNK)
zKIDBa>5)2v&!UNV(&)oOYW(6Qa!nUjDKKBf-~Da=#^HE4(@mWk)<uU{=obsLdUI3h
zHmqdEK8EB5g|CJ1waElw;@$z(IDUSb4jynL@<Dcx{+7nmSS)kq1|+E@VN%nmRkMiR
zs=e6GO30hK26C#QIG|w8+|fawvH;IKl%paiw=s1CoUBE@_O7IxK{t{GeiX5Bw#IBg
zy}V!1(_y)p_WaM*T{~mUh~q`irqOUPd<%ojktmiS@MD>LPvhyN3i4goB$3K8iV7uh
zsv+a?#c4&NWeK(3AH;ETrMOIFgu{_@%XRwCZ;L=^8Ts)hix4Pf3yJRQ<8xb^CkdmC
z?c_gB)XmRsk`9ch#tx4*hO=#qS7={~Vb4*tTf<5P%*-XMfUUY<TA8uu1Q&SE*j^Oz
z=-_T`Y_dFx=4yScs+$!sJ58a1Qi$jurfsZ>kI9T1cEF;ObfxxI-yNuA=I$dCtz3ey
znVkctYD*`fUuZ(5<dGK9+E5m(x+j!E1gBD<m;epCW&-dEFrxIWm6v|{RNP287N@@(
z&RwFD-KScCNJ<>7+^B*R=Q}~{1z#2!ca?)+YsRQb+lt^LmEvZt_`=j^wqig+wz@n@
z`LIMQJT3bxMzuKg8EGBU+Q-6cs5(@5W?N>JpZL{$9VF)veF`L5%DSYTNQEypW%6$u
zm_~}T{HeHj1bAlKl<bNiI7kGAT=WJaCg#3PHf(sw37beu4irZqPQM6)OVU((ZqiFe
zh7}c1t^`(7HQ`GHm>8ii92l9~$dm=UM21kLemA&b$;^!wB7#IKWGnF$TVq!!lBlG4
z{?Rjz?P(uvid+|i$VH?`-C&Gcb3{(~Vpg`w+O);Wk1|Mrjxrht0GfRUnZqz2MhrXa
zqgVC9nemD5)H$to=~hp)c=l9?#~Z_7i~=U-`FZxb-|TR9@YCxx;Zjo-WpMNOn2)z)
zFPGGVl%3N$f`gp$gPnWC+f4(rmts%fidpo^BJx72zAd7|*Xi{2VXmbOm)1`w^tm9%
znM=0Fg4bDxH5PxPEm{P3#A(mxqlM7SIARP?|2&+c7qmU8kP&iApzL|F>Dz)Ixp_`O
zP%xrP<k$wQk~?_FT73lz;bX*6=D5hHv{$OG+ESaX)ae8>1M6@oYhgo$ZWwrAsYLa4
z|I;DAvJxno9HkQrhLPQk-8}=De{9U3U%)dJ$955?_AOms!9gia%)0E$Mp}$+0er@<
zq7J&_SzvShM?e%V?_zUu{niL@gt5UFOjFJUJ}L?$f%eU%jUSoujr{^O=?=^{19`ON
zlRIy8Uo_nqcPa6@yyz`CM?pMJ^^SN^Fqtt`GQ8Q#W4kE7`V9^LT}j#pMChl!j#g#J
zr-=CCaV%xyFeQ9SK+mG(cTwW*)xa(eK;_Z(jy)wo<nmrLjO|ztv*nplaAl0pOFIhc
zZe;A@?4xmZHrI(+Y#%y4JBydr1g6#IYFihmK+)HufuUTxq$8qVOdp3boOq1P;Wv@K
zwXG&kim4YnysqJGu(l+!DM|q?7$}thxr;l?%GuKali@m896TRH<j~86OHh|?hFiON
zoVTO2Q4vtq%AS1ZzYe5%=fvKeF$UDaWs%{qd@6uW$5nPva?M$)-R6sQz?-*9>Zp~>
zA(4}-&VH+TEeLzPTqw&FOoK(ZjD~m{KW05fiGLe@E3Z2`rLukIDahE*`u!ubU)9`o
zn^-lyht#E#-dt~S>}4y$-mSbR8{T@}22cn^refuQ08NjLOv?JiEWjyOnzk<^R5%gO
zhUH_B{oz~u#IYwVnUg8?3P*#DqD8#X;%q%HY**=I>>-S|!X*-!x1{^l#OnR56O>iD
zc;i;KS+t$koh)E3)w0<sr_&V$&&^jwvKZE>OjWJl_aW2;xF=9D9Kr>)(5}4FqUbk#
zI#$N8o0w;IChL49m9CJTzoC!|u{Ljd%ECgBOf$}&jA^$(V#P#~)`&g`H8E{uv52pp
zwto`xUL-L&WTAVREEm$0g_gYPL(^vHq(*t1WCH_6alhkeW&GCZ3hL)|{O-jiFOBrF
z!EW=Jej|dqQitT6!B-7&io2K)WIm~Q)v@yq%U|VpV+I?{y0@Yd%n8~-NuuM*pM~KA
z85YB};IS~M(c<}4Hxx>qRK0cdl&e?t253N%vefkgds>Ubn8X}j6Vpgs>a#nFq$osY
z1ZRwLqFv=+BTb=i%D2Wv>_yE0z}+n<tX7=B(@omRDE4?_eQVXQv?Hdp3mP%L7_)rJ
zceU9n0F0eAb5q_*CY^$%aws@y6mOF934p6R@I02AiG$kI%gnd`UPSCop=0b3KK$X-
zk-)b~vVG#IP{XT_WwHf9Y*n)4+*X%H1=HFzGgIreH<FzmQ(C#KDP;be%rXl#(zren
z3;Gheo^MEIift!$({sqVYci@r6Dj9mg`Hdp*Tg83DVhi6WX!_~b2|?rFE`d=h~~1X
z6i36B4#G%u>iZ4?rE|*a3d7^kndWGwnFqt+iZ(7+aln<}jzbAQ(#Z2SS}3S$%Bd}^
zc9ghB%O)Z_mTZMRC&H#)I#fiLuIkGa^`4e~9oM5zKPx?zjkC&Xy0~r{;S?FS%c7w<
zWbMpzc(xSw?9tGxG~_l}Acq}zjt5ClaB7-!vzqnlrX;}$#+PyQ9oU)_DfePh2E1<7
ztok6g6K^k^DuHR*iJ?jw?bs_whk|bx`dxu^nC6#e{1*m~z1eq7m}Cf$*^Eua(oi_I
zAL+3opNhJteu&mWQ@kQWPucm<ysMdVUPHbq+gV?rGqRHPp%uV!-l3=Q6r-oAMj1Uf
z?b8Zw!CdncfJ4Z*7>iP)4|nFG`b2tpC;h{-PI@`+h?9v=9mn|0R-n8#t=+Z*FD(c5
zjj79Jxkgck*DV=wpFgRZuwr%}KTm+dx?RT@aUHJdaX-ODh~gByS?WGx&czAkvkg;x
zrf92l8$Or_zOwJVwh>5rB`Q5_5}ef6DjS*$x30nZbuO3dijS*wvNEqTY5p1_A0gWr
znH<(Qvb!os14|R)n2Ost>jS2;d1zyLHu`Svm|&dZD<e=++}X$(_vT!eDWbK#-aOcb
zi(KgPl`rO!O(9j=^cVi}IJNF4xy!cZ^|4Qs?8*Y{23A~ZFVr#LH`z~t(_yzQt&2M^
z#F0(lV{PSkxR!@r$_LIxAwOO4D~UhYNt;i4b$LF+l)!<Mlhtrc{(+#www<UPw<{4h
zpfbM!C=Fd%YcqvBrKlm>+PpP{Bh>U&`Md;gRl64q;>{8MJJM$?UNUd`aC>BiLe>*{
zJY15->yW+<3rLgYeTruFDtk1ovU<$(_y7#HgUq>)r0{^}Xbth}V#6?%5jeFYt;SG^
z3qF)=uWRU;Jj)Q}cpY8-H+l_n$2$6{ZR?&*IGr{>ek!69ZH0ZoJ*Ji+ezzlJ^%qL3
zO5a`6gwFw(moEzqxh=yJ9M1FTn<T5L*i(<zj`a8@-`*Y*d1O*$5VlE~&#SB+H9}iw
zB3)>!eo&qD#y5AZXErHs%22?A+JmS&GIolml!)rZTnUDM3YgzYfT#;OXn)`PWv3Ta
z!-i|-Wojv*k&bC}_JJDjiAK(Ba|YZgUI{f}TdEOFT2+}nPmttytw7j%@bQZDV1vvj
z^rp{gRkCDmYJHGrE1~e~AE!-&6B6`7UxVQuvRrfdFkGX8H~SNP_X4<w;C2T`tyKC_
zi-<IDL>EodVd;lXd^>eV1jN+Tt4}Rsn)R0LxBz0c=NXU|pUe!MQQFkGBWbR3&(jLm
z%RSLc#p}5_dO{GD<NWe-r|=Q6-4PleiDwT(2|~KO8GT0gfR~)=qKWhs>=DEFr=Fc%
z85CBF>*t!6ugI?soX(*JNxBp+-DdZ4<rEK)&M`6wOoocN!#y@nw+fsyKHosdUZSs#
zY>X0LldiK}+WWGvXV(C(Ht|!3$psR=&c*HIM=BmX;pRIpz@Ale{9dhGe(U2|Giv;#
zOc|;?p67J=Q(kamB*aus=|XP|m{jN^6@V*Bpm?ye56Njh#vyJqE=DweC;?Rv7faX~
zde03n^I~0B2vUmr;w^X37tVxUK?4}ifsSH5_kpKZIzpYu0;Kv}SBGfI2AKNp+VN<s
z&%`{SSX=7`cuk&HSpr5=9(NBlPiF6=d$2k4+qBuZEtEp{q9rXkkSlz~m$@K5d@1sb
zV&-+U{A<aWf$z&7U9^^scEEAOgD13Kt{%E-i<cL-_`0>#z`nI{UNDRbo-wqa4NEls
zICRJpu)??cj^*WcZ^MAv+;bDbh~gpN$1Cor<{Y2oyIDws^JsfW^5AL$azE(T0p&pP
z1Mv~6Q44R&RHoH95&OuGx2srIr<@zYJTOMKiVs;Bx3py89I87LOb@%mr`0)#;7_~Z
zzcZj8?w=)>%5@HoCHE_&hnu(n_yQ-L(~VjpjjkbT7e)Dk5??fApg(d>vwLRJ-x{um
z*Nt?DqTSxh_MIyogY!vf1mU1`Gld-&L)*43f6dilz`Q@HEz;+>MDDYv9u!s;WXeao
zUq=TaL$P*IFgJzrGc>j1dDOd<P6obJsU?i;%~VO18%pw+u7Z7zDM{)mIn14~Q_iX3
zT{Tx9IMu^l8)U&uPF2B_@;$LfUzf<C;nO$|L9fQPGc5pM<ix6!$F5fSR4J=#3pL1>
zed+=ZBo?w4mr$2)Ya}?vedDopomhW1`#P<%YOJ_j=WwClX0xJH-<Xq=YwhDDH5<ir
z)fn*!W2|$oe({@J6>f@s?<R{WuTm{#vF3!6EowIp1Yl(A5Iq}el2(>^tmzs_j7t!k
zK@j^zS0Q|mM4tVP5Ram$VbS6|YDY&y?Q1r1joe9dj08#CM{RSMTU}(RCh`hp_Rkl-
zGd|C<M{UA`Ev@3>v~G@F{DLhCizAm9AN!^{rNs8hu!G@8RpnGx7e`-+K$ffN<0qjR
zGq^$dj_Tv!n*?zOSyk5skI7JVKJ)3jysnjIu-@VSzQiP8r6MzudCU=~?v-U8yzo^7
zGf~SUTvEp+S*!X9uX!sq=o}lH;r{pzk~M*VA(uyQ`3C8!{C;)&6)95fv(cK!%Cuz$
z_Zal57H6kPN>25KNiI6z6F)jzEkh#%OqU#-__Xzy)KyH};81#N6OfX$$IXWzOn`Q&
z4f$Z1t>)8&8PcYfEwY5UadU1yg+U*(1m2ZlHoC-!2?gB!!fLhmTl))D@dhvkx#+Yj
z1O=LV{(T%{^IeCuFK>%QR!VZ4GnO5t<M8oXd(Iwnd!%6;G4+b$sfV@nF>K8a+thWE
zg4VytZ<!+^Z3OxbQ{Q^NT}C^&{w?l_efsLU3K<LxNcF3In!jBW`E4P@@Q>rwcS?7^
zuZfhYnB8dwd%VLO?DK7pV5Wi<(`~DYqOXn8#jUIL^)12*Dbhk4GmL_E2`WX&iT16o
zk(t|hok(Y|v-wzn?4x34T)|+SfZP>fiq!><*%vnxGN~ypST-FtC+@TPv*vYv@iU!_
z@2gf|PrgQ?Ktf*9^CnJ(x*CtZVB8!OBfg0%!wL;Z8(tYYre0vcnPGlyCc$V(Ipl*P
z_(J!a=o@vp^%Efme!K74(Ke7A>Y}|sxV+JL^<EBm?s93Gk}89>aYa{~m%5#$$+R1?
zGaQhZTTX!#s#=Xtpegqero$RNt&`4xn3g$)=y*;=N=Qai)}~`xtxI<AZ4F;JTD<8R
zj!)c(h~W5ym&ztJHonI$wOw!ilm$MYm9Bza-hgQlyVgU%3gL7ZR{DGw;SC3(2jmN#
zEN0r*A}At(0W#Ah$kNBdq7}-SmKb}m?}0D&ayCSIp<(7rh{N(>_N*#MMCIq#HFifT
zz(-*m;pVH&+4bixL&Bbg)W5FN^bH87pAHp)<cHV|Z#UZzRmhx)v+J#b;z4`Q?k?-R
z?Mwe6>zPkWNMfTFqS=l~AC$3FX3kQUSh_C?-ZftyClgM)o_D7cX$RGlEYblux0jv5
zTr|i-I3@ZPCGheCl~BGhImF)K4!9@?pC(gi3ozX=a!|r1)LFxy_8c&wY0<^{2cm|P
zv6Y`QktY*;I)IUd5y3ne1CqpVanlY45z8hf4&$EUBnucDj16pDa4&GI&TArYhf*xh
zdj>*%APH8(h~c>o@l#%T>R$e>rwVx_WUB|~V`p^JHsg*y12lzj&zF}w6W09HwB2yb
z%Q~`es&(;7#*DUC_w-Dmt7|$*?TA_m;zB+-u{2;Bg{O}nV7G_@7~<)Bv8fH^G$<M*
z&d&;aLbJI7DA_i+KF+_Y*db5T=T0$Yb3d-`R$T@3wLZQCDrGFAM6Hy)P81(B7I-}^
zZ#X&{ChGm1hJg}`oiCWrMyeKG-CKZgKD^F(ua7wxm46IP%8KAiuDjGgHkpHlqY{44
z6u+EZH5*`-Tmv@0q-e$H7@qYxb=7lP*Uw9V-%F*BSf3gnl(tEHIo~UWGwgNM?yNh+
z4`DXIz*~q@Zt5=B?(4}yS%0CI2f?0DXy#?0A|S`Rsho0pv40`;)dJpwh<81-^iiuK
z%Vi?_s~)&i)z1SmPY1<XW`lTd<YCBKxgcl4zKk4DeAbUOOvIYr?)CoiY>XG8$(&{A
zwXJK5LRK%M34(t$&NI~MHT{UQ9qN-V_yn|%PqC81EIiSzmMM=2zb`mIwiP_b)x+2M
z7Gd`83h79j#SItpQ}luuf2uOU`my_rY5T{6P#BNlb%h%<#MZb=m@y5aW;#o1^<f$w
z=h?@HX|<iV!fmbN2X4(oxX(FwV@xQ6hBb_M4Z>2Z)SWo+b`y0gV^iRcZtz5!-05vF
z7wNo=hc6h4hc&s@uL^jqRvD6thVYtbErDK9k!;+a0xoE0WL7zLixjn5;$fXvT=O3I
zT6jI&^A7k6R{&5#lVjz#8%_RiAa2{di{`kx79K+j72$H(!ass|B%@l%KeeKchYLe_
z>!(JC2fxsv>XVen+Y42GeYPxMWqm`6F$(E<6^s|g(slNk!lL*6v^W2>f6hh^mE$s=
z3D$)}{V5(Qm&A6bp%2Q}*GZ5Qrf}n7*Hr51?bJOyA-?B4vg6y_EX<*-e20h{=0Mxs
zbuQGZ$fLyO5v$nQ&^kuH+mNq9O#MWSfThtH|0q1i!NrWj^S}_P;Q1OkYLW6U^?_7G
zx2wg?CULj7))QU(n{$0JE%1t2dWrMi2g-Os{v|8^wK{@qlj%+1b^?<vxdN3hhv>NI
z$}l2tjp0g>K3O+p%yK<9!XqmQ?E9>z&(|^Pi~aSRwI5x$jaA62GFz9%fmO3t3a>cq
zK8Xbv=5Ps~4mKN5+Eqw12(!PEyedFXv~VLxMB~HwT1Vfo51pQ#D8e$e4pFZ{&RC2P
z5gTIzl{3!&(tor^BwZfR8j4k{<RRDK>7Rq#`riKXP2O-Bh66#WWK2w=z;iD9GLl+3
zpHIaI4#lQ&S-xBK8PiQ%dwOh?%BO~DCo06pN7<^dnZCN@NzY{_Z1>rrB0U|nC&+!2
z2y!oBcTd2;@lzyk(B=TkyZ)zy0deK05*Q0zk+<m@@d`~L>o$@nun`VI1Er7pjq>8V
zNmlW{p7S^Btgb(TA}jL(uR>`0w8gHP^T~Sh5Tkip^spk4SBAhC{TZU}_Z)UJw-}zm
zPq{KBm!k)?P{`-(9?LFt&YN4s%SIZ-9lJ!Ws~B%exHOeVFk3~}HewnnH(d)qkLQ_d
z6h><vmhITb#1N_8X1Z(L5Z-Mt1QD-4--ZSQa|I2k|2yb`=kK=Y{xq2W9@z8ykeYTE
z(sLIxoB*Jf@`g}u$%PTp1k#3_<Y0()`Q@U-raX1Vot0=ZY_hD?M86FdNIhTjrJxZ+
zJ((diYOZbq`Uha?I6CglyX`fAgexzumMOh3N@)+6OQ*_0dT^VSFf_smVHDjg55<Jl
zH2Ozsu;$G}j>O)pEE{vbOVw}E+jdYC^wM+AAhaI(YAibUc@B#_mDss0Ji&BK{WG`4
zOk>vSNq(Bq2IB@s>>Rxm6Wv?h;Z<HWsJXErNyl(WAMS;TU3O?s5_Llui-|!JglEvo
z$E2mYL3+SPK!E!7%WQv?cHL*#*)*5PhS)J5GV09TI$ZnD5J-@RK1t0}*-9n4F=AJg
z@YsA@xfMsv#w~_vqJq-JmLhW#heOMgz)(!epQo{MZD5-(_n`&FvWL)jB4Ys1EdZfI
zoaBo@7-CroK$CL=LyAo`ptq!pX?Uo!KIaWj7|yHs%MYw!l&%tFp^xeV$e}_JqO0pN
zNxaGWM<%{B0&9iTjFXOdP?w#{jHX>Xkpb1l8u|+_qXWdC*jjcPCixq;!%BVPSp#hP
zqo`%cNf&YoQXHC$D=D45RiT|5ngPlh?0T~?lUf*O)){K@*Kbh?3RW1j9-T?%lDk@y
z4+~?wKI%Y!-=O|_IuKz|=)F;V7ps=5@g)RrE;;tvM$gUhG>jHcw2Hr@fS+k^Zr~>G
z^JvPrZc}_&d_kEsqAEMTMJw!!CBw)u&ZVzmq+ZworuaE&TT>$pYsd9|g9O^0orAe8
z221?Va!l1|Y5X1Y?<Q2k@C>{G7rt1sX#qFA^?RLG^VjoxPf63;AS=_mVDfGJKg73L
zsGdnTUD40y(>S##2l|W2Cy!H(@@5KBa(#gs`vlz}Y~$ot5VsqPQ{{YtjYFvIumZzt
zA{CcxZLJR|4<x-MAle2Nd|D%3<KvN6^~LMtrTQKT11XTUTsz-QKf89?*YA3bbocsv
z<tG;Y1lpf_{>#{j7k~Tu*jkwz8QA|5G1$Cl895R`<bW@zkRsPYS`N#4&EBxmd{@y_
z#&U+_?ao#Kwx+DC{AN!PZYAX?2(H1uQyF~p>Zyp;irp1{KN){kB<t|Lg})VytK%aH
zCJdJ3Re6v<r!FVDLBzZp{ZdlRHq_XzsY7pir9Q3LQAJ+IOOcz}u=>30O8P1W5;@bG
znvX74roeMmQlUi=v9Y%(wl$ZC#9tKNFpvi3!C}f1m6Ct|l2g%psc{TJp)@yu)*e2>
z((p0Fg*8gJ!|3WZke9;Z{8}&NRkv7iP=#_y-F}x^y?2m%-D_aj^)f04%mneyjo_;)
z6qc_Zu$q37d~X``*eP~Q>I2gg%rrV8v=kD<S$$Du%7)9vB5*3kar-m(rC|$tWLh`b
zcoxYH(*j~EVZ>fpp$=%Vj}hF)^dsSWygoN(A$g*E=Do6FX?&(@F#7pbiJ`;c0c@Ul
zDqW_90Wm#5f2L<(Lf3)3TeXtI7nhYwRm(F;*r_G6K@OPW4H(Y3O5SjUzBC}<?|Tm0
zRP=fu|E~4-g)9SuK=BRizYL2M|GU<InE379H^~Fl#JuQ1SzKoHfLmc9R0#Sg+k((d
zhN8HzM*VhCp<uO4>u3d|eQ8<Ba^oJ-NVK>*8d@?;zUPE+i#QNMn=r(ap?2SH@vo*m
z3HJ%XuG_S6;QbWy-l%qU;8x;>z>4pMW7>R}J%QLf%@1BY(4f_1iixd-6GlO7Vp*yU
zp{VU^3?s?90i=!#>H`lxT!q8rk>W_$2~kbpz7eV{3wR|8E=8**5?qn8#n`*(bt1<M
zlk{?%Mh@~#mQl*b5K-2c;P;AWttPx=rB~Os`<u!ZxgjvPCt_!HNidwq(fg-i3DKTv
z?L6K*ehZ#KPjHDJ5vWuMs>xRQrdGxyx2y%B$qmw#>ZV$c7%cO#%JM1lY$Y0q?Yuo>
ze9KdJoiM)RH*SB%^;TAdX-zEj<!({s>A7@%<k)#%bD2GjyYCHnZiy-B)zMUf<(h`v
z6r)G0@ahyae4&QsKnOdXX44T}#dpO3&z>y=!0=Zg%iWK7jVI9b&Dk}0$Af&08KHo+
zOwDhFvA(E|ER%a^cdh@<ajPmA)cO>^wLUlmIv6?_3=BvX8jKk92L=Y}7Jf5OGMfh`
zBdR1wFCi-i5@`9km{isRb0O%TX+f~)KNaEz{rXQa89`YIF;EN&gN)cigu6mNh>?Cm
zAO&Im2f<R$(FpJ-`ul}(ek!d0=fY-I4EB1j^=!?42}Ai4Ov$fceybC`ldYb$wUO<g
zK&64tq3)(3caC8H2^0c!zYlKgzjgZ=)Y{6D!P?degl}(VWcMrIfg+afSq6y0%GTsh
zmAd<vAKnHjOx?5bKT7CX>lv6D{jwm+y<%WsPe4!89n~KN|7}Cb{Z;XweER73r}Qp2
zz}WP4j}U0&(uD&9yGy6`!+_v-S(yG*iytsTR#x_Rc>=6u^vnRD<C6c)4)B{t?-8)?
z2xp^$Jh2LbWBGv&x&py@L2t$XBoHw&)^o717Xj%jSXk*9f+X>nf1gP{#2>`ffrAC%
zTZ5WQ@hAK;P;>kX{D)mIXe4%a5p=LO1xXH@8T?mz<Y5Jb+5IA|K_bV-ptS8wKUIJe
zlnC^nSKzO2&(G!zwE~2?4Em$~2^|XeSLpxo+h4=3W@$d22XziXgrHPgKfxm4{Q?%G
z%VMu*@t=&O4_)C$NxOUvdcQ3}ZB70YssJb-`Tul<w3Ug8k?mhs6vf)^y%wk;2SMIt
z{0TA~lmzU5Ldx8AZhs^KyL&|c8vK4Lb%CG2#X<ed{{(-jXKyNKXJ=%o5Ap<=w3UIL
zg@_sGZ7|b!_^&MWL*Lxb4hwR|e+&o?;QOase|;DCb0ywom;GTt@W&#*Kz{hV|CDR?
zVeRjyW&63CPz0%4{!dT+(E^|;%)=av4+-w4Lb=QC_QQbS(xBkbza#iL*V}K{|6?S+
zOQ!N)<5u|v_FZa~ht<5F`r%Hy{D%R-1O5)`?-Q#$B)c!64)XGU3<!Rp{x|jhLH18R
zCmzz?7ykbF9x-(OhW6gH^?#_fKP0;^T79P_{=<OaQ@a10?7<xQA<2E2*1JuC9|i;u
z)c@xs_t!HXGTaxL{JE(vP5wE<?}3@W5PyA0dtcd4@W)+&u0Zhg*Z()#-*55{J<Er5
z_cg!n<N|*f5Ihs`ujzgv9{7;=zJ8O^4^q$-2!3MwuX+EGzSzSW+?Sq^`l$w44*$9a
zzfz5QNPPc<|IaQree<u0f1z{nkoW$v>7Q@d)$3pL{{B!2{-v70L*o1AO+|n5beiw~
zk@(>m?T3{2k2c;NWc^`4@P&Z?BjxXJ@;x1qhn)9Mn*IFdt_J-dIqx5#d`NfyfX~m(
zIS~5)MfZ2Uy?_4W`47i}u0ZgPh<{D|w_d#;D}Q&U<c9&l@uL4V+pkZUJoNDWE$N@f
z811-!Oa0gLy!-3)KQq|o{SCvP*5?13;r>$Q-G}xM1A@1f{#%A$jh6Qp&0hQ<0bPOM
z-{1Wm&p%%#eb_?x7i;bo<bD_s{JQdQSRc-n@6B`mH1&W2ZKd3Ot1yB=qk@55R^R>l
EfAhh=DF6Tf

literal 0
HcmV?d00001

diff --git a/example/.mvn/wrapper/maven-wrapper.properties b/example/.mvn/wrapper/maven-wrapper.properties
new file mode 100644
index 0000000..642d572
--- /dev/null
+++ b/example/.mvn/wrapper/maven-wrapper.properties
@@ -0,0 +1,2 @@
+distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.6.3/apache-maven-3.6.3-bin.zip
+wrapperUrl=https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar
diff --git a/example/.prettierrc.yaml b/example/.prettierrc.yaml
new file mode 100644
index 0000000..04450cb
--- /dev/null
+++ b/example/.prettierrc.yaml
@@ -0,0 +1,7 @@
+trailingComma: "none"
+useTabs: false
+tabWidth: 4
+semi: true
+singleQuote: false
+printWidth: 120
+
diff --git a/example/README.md b/example/README.md
new file mode 100644
index 0000000..dcd160a
--- /dev/null
+++ b/example/README.md
@@ -0,0 +1,106 @@
+# Web eID Spring Boot example
+
+![European Regional Development Fund](https://github.com/e-gov/RIHA-Frontend/raw/master/logo/EU/EU.png)
+
+Example Spring Boot web application that uses Web eID for strong authentication
+and digital signing with electronic ID smart cards.
+
+## Setup
+
+Note that although the browser considers localhost to be a secure context, it does not have a certificate,
+therefore you need to use e.g. Ngrok.io for local testing.
+
+Download ngrok and run locally using two parameters:
+```sh
+ngrok http 8080
+```
+
+## Configuration
+
+Open application.yaml file and set up the `local-origin` and `fingerprint` fields:
+
+- The `local-origin` field must contain the url, which was generated by ngrok.
+- The `fingerprint` field must contain the SHA256 fingerprint of the certificate, which you can retrieve from the browser by navigating to the ngrok url and exploring the server certificate details. Here is a [quick guide](https://www.globalsign.com/en/blog/how-to-view-ssl-certificate-details) and for different browsers.
+
+```yaml
+spring:
+  profiles: dev
+  servlet:
+    multipart:
+      max-file-size: 5000KB
+      max-request-size: 5000KB
+token:
+  validation:
+    local-origin: "https://ade0973a6557.ngrok.io"
+    fingerprint: "11:D8:AE:60:EC:19:10:C7:94:D7:4C:82:C8:0D:96:B2:07:88:B5:6A:D2:65:FF:F9:B5:14:C8:75:F7:90:08:E1"
+    keystore-password: "changeit"
+```
+
+Additionally, you can set up the keystore password, and the maximum size of the files to be uploaded.
+
+## Running
+
+Once the `local-origin` and `fingerprint` fields are set, you can run the application with the following command:
+```sh
+./mvnw spring-boot:run
+```
+and then navigate the browser to the url, that was generated by ngrok.
+
+
+## Testing
+
+In case you don't have the Web eID extension installed or want to test `web-eid.js` message handling manually,
+you can use the browser developer tools to mock the authentication response from the extension with
+`window.postMessage()` as follows:
+
+1. Click *Authenticate*
+2. Paste the following snippet into developer tools console:
+
+```js
+var loginResponse = await fetch("/auth/login", {
+    method: "POST",
+    headers: {
+      'Content-Type': 'application/json'
+    },
+    body: '{"auth-token":"eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlFQXpDQ0EyV2dBd0lCQWdJUU9Xa0JXWE5ESm0xYnlGZDNYc1drdmpBS0JnZ3Foa2pPUFFRREJEQmdNUXN3Q1FZRFZRUUdFd0pGUlRFYk1Ca0dBMVVFQ2d3U1Uwc2dTVVFnVTI5c2RYUnBiMjV6SUVGVE1SY3dGUVlEVlFSaERBNU9WRkpGUlMweE1EYzBOekF4TXpFYk1Ca0dBMVVFQXd3U1ZFVlRWQ0J2WmlCRlUxUkZTVVF5TURFNE1CNFhEVEU0TVRBeE9EQTVOVEEwTjFvWERUSXpNVEF4TnpJeE5UazFPVm93ZnpFTE1Ba0dBMVVFQmhNQ1JVVXhLakFvQmdOVkJBTU1JVXJEbFVWUFVrY3NTa0ZCU3kxTFVrbFRWRXBCVGl3ek9EQXdNVEE0TlRjeE9ERVFNQTRHQTFVRUJBd0hTc09WUlU5U1J6RVdNQlFHQTFVRUtnd05Ta0ZCU3kxTFVrbFRWRXBCVGpFYU1CZ0dBMVVFQlJNUlVFNVBSVVV0TXpnd01ERXdPRFUzTVRnd2RqQVFCZ2NxaGtqT1BRSUJCZ1VyZ1FRQUlnTmlBQVI1azFsWHp2U2VJOU8vMXMxcFp2amhFVzhuSXRKb0cwRUJGeG1MRVk2UzdraTF2RjJRM1RFRHg2ZE56dEkxWHR4OTZjczhyNHpZVHdkaVFvRGc3azNkaVV1UjluVFdHeFFFTU8xRkRvNFk5ZkFtaVBHV1QrK0d1T1ZvWlFZM1h4aWpnZ0hETUlJQnZ6QUpCZ05WSFJNRUFqQUFNQTRHQTFVZER3RUIvd1FFQXdJRGlEQkhCZ05WSFNBRVFEQStNRElHQ3lzR0FRUUJnNUVoQVFJQk1DTXdJUVlJS3dZQkJRVUhBZ0VXRldoMGRIQnpPaTh2ZDNkM0xuTnJMbVZsTDBOUVV6QUlCZ1lFQUk5NkFRSXdId1lEVlIwUkJCZ3dGb0VVTXpnd01ERXdPRFUzTVRoQVpXVnpkR2t1WldVd0hRWURWUjBPQkJZRUZPUXN2VFFKRUJWTU1TbWh5Wlg1YmliWUp1YkFNR0VHQ0NzR0FRVUZCd0VEQkZVd1V6QlJCZ1lFQUk1R0FRVXdSekJGRmo5b2RIUndjem92TDNOckxtVmxMMlZ1TDNKbGNHOXphWFJ2Y25rdlkyOXVaR2wwYVc5dWN5MW1iM0l0ZFhObExXOW1MV05sY25ScFptbGpZWFJsY3k4VEFrVk9NQ0FHQTFVZEpRRUIvd1FXTUJRR0NDc0dBUVVGQndNQ0JnZ3JCZ0VGQlFjREJEQWZCZ05WSFNNRUdEQVdnQlRBaEprcHhFNmZPd0kwOXBuaENsWUFDQ2srZXpCekJnZ3JCZ0VGQlFjQkFRUm5NR1V3TEFZSUt3WUJCUVVITUFHR0lHaDBkSEE2THk5aGFXRXVaR1Z0Ynk1emF5NWxaUzlsYzNSbGFXUXlNREU0TURVR0NDc0dBUVVGQnpBQ2hpbG9kSFJ3T2k4dll5NXpheTVsWlM5VVpYTjBYMjltWDBWVFZFVkpSREl3TVRndVpHVnlMbU55ZERBS0JnZ3Foa2pPUFFRREJBT0Jpd0F3Z1ljQ1FnSDFVc21NZHRMWnRpNTFGcTJRUjR3VWtBd3BzbmhzQlYySFFxVVhGWUJKN0VYbkxDa2FYamRaS2tIcEFCZk0wUUV4N1VVaGFJNGk1M2ppSjdFMVk3V09BQUpCRFg0ejYxcG5pSEphcEkxYmtNSWlKUS90aTdoYThmZEpTTVNwQWRzNUN5SEl5SGtReldsVnk4NmY5bUE3RXUzb1JPLzFxK2VGVXpEYk5OM1Z2eTdnUVdRPSJdfQ.eyJhdWQiOlsiaHR0cHM6Ly9yaWEuZWUiLCJ1cm46Y2VydDpzaGEtMjU2OjZmMGRmMjQ0ZTRhODU2Yjk0YjNiM2I0NzU4MmEwYTUxYTMyZDY3NGRiYzcxMDcyMTFlZDIzZDRiZWM2ZDljNzIiXSwiZXhwIjoiMTU4Njg3MTE2OSIsImlhdCI6IjE1ODY4NzA4NjkiLCJpc3MiOiJ3ZWItZWlkIGFwcCB2MC45LjAtMS1nZTZlODlmYSIsIm5vbmNlIjoiMTIzNDU2NzgxMjM0NTY3ODEyMzQ1Njc4MTIzNDU2NzgiLCJzdWIiOiJKw5VFT1JHLEpBQUstS1JJU1RKQU4sMzgwMDEwODU3MTgifQ.0Y5CdMiSZ14rOnd7sbp-XeBQ7qrJVd21yTmAbiRnzAXtwqW8ZROg4jL4J7bpQ2fwyUz4-dVwLoVRVnxfJY82b8NXuxXrDb-8MXXmVYrMW0q0kPbEzqFbEnPYHjNnKAN0"}'
+});
+
+window.postMessage({
+    action: webeid.Action.AUTHENTICATE_SUCCESS,
+    response: {
+        status: 200,
+        headers: {},
+        body: await loginResponse.json()
+    }
+});
+```
+
+## Testing with curl
+
+```shell script
+$ curl 'http://localhost:8080/auth/login' -H 'Content-type: application/json' --data-raw '{"auth-token":"eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlFQXpDQ0EyV2dBd0lCQWdJUU9Xa0JXWE5ESm0xYnlGZDNYc1drdmpBS0JnZ3Foa2pPUFFRREJEQmdNUXN3Q1FZRFZRUUdFd0pGUlRFYk1Ca0dBMVVFQ2d3U1Uwc2dTVVFnVTI5c2RYUnBiMjV6SUVGVE1SY3dGUVlEVlFSaERBNU9WRkpGUlMweE1EYzBOekF4TXpFYk1Ca0dBMVVFQXd3U1ZFVlRWQ0J2WmlCRlUxUkZTVVF5TURFNE1CNFhEVEU0TVRBeE9EQTVOVEEwTjFvWERUSXpNVEF4TnpJeE5UazFPVm93ZnpFTE1Ba0dBMVVFQmhNQ1JVVXhLakFvQmdOVkJBTU1JVXJEbFVWUFVrY3NTa0ZCU3kxTFVrbFRWRXBCVGl3ek9EQXdNVEE0TlRjeE9ERVFNQTRHQTFVRUJBd0hTc09WUlU5U1J6RVdNQlFHQTFVRUtnd05Ta0ZCU3kxTFVrbFRWRXBCVGpFYU1CZ0dBMVVFQlJNUlVFNVBSVVV0TXpnd01ERXdPRFUzTVRnd2RqQVFCZ2NxaGtqT1BRSUJCZ1VyZ1FRQUlnTmlBQVI1azFsWHp2U2VJOU8vMXMxcFp2amhFVzhuSXRKb0cwRUJGeG1MRVk2UzdraTF2RjJRM1RFRHg2ZE56dEkxWHR4OTZjczhyNHpZVHdkaVFvRGc3azNkaVV1UjluVFdHeFFFTU8xRkRvNFk5ZkFtaVBHV1QrK0d1T1ZvWlFZM1h4aWpnZ0hETUlJQnZ6QUpCZ05WSFJNRUFqQUFNQTRHQTFVZER3RUIvd1FFQXdJRGlEQkhCZ05WSFNBRVFEQStNRElHQ3lzR0FRUUJnNUVoQVFJQk1DTXdJUVlJS3dZQkJRVUhBZ0VXRldoMGRIQnpPaTh2ZDNkM0xuTnJMbVZsTDBOUVV6QUlCZ1lFQUk5NkFRSXdId1lEVlIwUkJCZ3dGb0VVTXpnd01ERXdPRFUzTVRoQVpXVnpkR2t1WldVd0hRWURWUjBPQkJZRUZPUXN2VFFKRUJWTU1TbWh5Wlg1YmliWUp1YkFNR0VHQ0NzR0FRVUZCd0VEQkZVd1V6QlJCZ1lFQUk1R0FRVXdSekJGRmo5b2RIUndjem92TDNOckxtVmxMMlZ1TDNKbGNHOXphWFJ2Y25rdlkyOXVaR2wwYVc5dWN5MW1iM0l0ZFhObExXOW1MV05sY25ScFptbGpZWFJsY3k4VEFrVk9NQ0FHQTFVZEpRRUIvd1FXTUJRR0NDc0dBUVVGQndNQ0JnZ3JCZ0VGQlFjREJEQWZCZ05WSFNNRUdEQVdnQlRBaEprcHhFNmZPd0kwOXBuaENsWUFDQ2srZXpCekJnZ3JCZ0VGQlFjQkFRUm5NR1V3TEFZSUt3WUJCUVVITUFHR0lHaDBkSEE2THk5aGFXRXVaR1Z0Ynk1emF5NWxaUzlsYzNSbGFXUXlNREU0TURVR0NDc0dBUVVGQnpBQ2hpbG9kSFJ3T2k4dll5NXpheTVsWlM5VVpYTjBYMjltWDBWVFZFVkpSREl3TVRndVpHVnlMbU55ZERBS0JnZ3Foa2pPUFFRREJBT0Jpd0F3Z1ljQ1FnSDFVc21NZHRMWnRpNTFGcTJRUjR3VWtBd3BzbmhzQlYySFFxVVhGWUJKN0VYbkxDa2FYamRaS2tIcEFCZk0wUUV4N1VVaGFJNGk1M2ppSjdFMVk3V09BQUpCRFg0ejYxcG5pSEphcEkxYmtNSWlKUS90aTdoYThmZEpTTVNwQWRzNUN5SEl5SGtReldsVnk4NmY5bUE3RXUzb1JPLzFxK2VGVXpEYk5OM1Z2eTdnUVdRPSJdfQ.eyJhdWQiOlsiaHR0cHM6Ly9yaWEuZWUiLCJ1cm46Y2VydDpzaGEtMjU2OjZmMGRmMjQ0ZTRhODU2Yjk0YjNiM2I0NzU4MmEwYTUxYTMyZDY3NGRiYzcxMDcyMTFlZDIzZDRiZWM2ZDljNzIiXSwiZXhwIjoiMTU4Njg3MTE2OSIsImlhdCI6IjE1ODY4NzA4NjkiLCJpc3MiOiJ3ZWItZWlkIGFwcCB2MC45LjAtMS1nZTZlODlmYSIsIm5vbmNlIjoiMTIzNDU2NzgxMjM0NTY3ODEyMzQ1Njc4MTIzNDU2NzgiLCJzdWIiOiJKw5VFT1JHLEpBQUstS1JJU1RKQU4sMzgwMDEwODU3MTgifQ.0Y5CdMiSZ14rOnd7sbp-XeBQ7qrJVd21yTmAbiRnzAXtwqW8ZROg4jL4J7bpQ2fwyUz4-dVwLoVRVnxfJY82b8NXuxXrDb-8MXXmVYrMW0q0kPbEzqFbEnPYHjNnKAN0"}'
+{"sub":"JÕEORG,JAAK-KRISTJAN,38001085718","auth":["ROLE_USER"]}
+```
+
+## Formatting code
+
+We use *prettier-java* for formatting code, install and run it as follows:
+
+```shell script
+npm install -g prettier prettier-plugin-java
+prettier --write "**/*.{java,js,html}"
+```
+
+## Deployment
+
+Build Docker image with Jib as follows:
+
+```sh
+mvn com.google.cloud.tools:jib-maven-plugin:dockerBuild
+```
+
+and deploy with Docker Compose as follows:
+
+```sh
+docker-compose up -d
+```
diff --git a/example/docker-compose.yml b/example/docker-compose.yml
new file mode 100644
index 0000000..005e79e
--- /dev/null
+++ b/example/docker-compose.yml
@@ -0,0 +1,7 @@
+version: '2'
+services:
+  web-eid-springboot-example:
+    image: web-eid-springboot-example:1.0.0-SNAPSHOT
+    restart: always
+    ports:
+      - '127.0.0.1:8380:8080'
diff --git a/example/mvnw b/example/mvnw
new file mode 100644
index 0000000..a16b543
--- /dev/null
+++ b/example/mvnw
@@ -0,0 +1,310 @@
+#!/bin/sh
+# ----------------------------------------------------------------------------
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#    https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+# ----------------------------------------------------------------------------
+
+# ----------------------------------------------------------------------------
+# Maven Start Up Batch script
+#
+# Required ENV vars:
+# ------------------
+#   JAVA_HOME - location of a JDK home dir
+#
+# Optional ENV vars
+# -----------------
+#   M2_HOME - location of maven2's installed home dir
+#   MAVEN_OPTS - parameters passed to the Java VM when running Maven
+#     e.g. to debug Maven itself, use
+#       set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000
+#   MAVEN_SKIP_RC - flag to disable loading of mavenrc files
+# ----------------------------------------------------------------------------
+
+if [ -z "$MAVEN_SKIP_RC" ] ; then
+
+  if [ -f /etc/mavenrc ] ; then
+    . /etc/mavenrc
+  fi
+
+  if [ -f "$HOME/.mavenrc" ] ; then
+    . "$HOME/.mavenrc"
+  fi
+
+fi
+
+# OS specific support.  $var _must_ be set to either true or false.
+cygwin=false;
+darwin=false;
+mingw=false
+case "`uname`" in
+  CYGWIN*) cygwin=true ;;
+  MINGW*) mingw=true;;
+  Darwin*) darwin=true
+    # Use /usr/libexec/java_home if available, otherwise fall back to /Library/Java/Home
+    # See https://developer.apple.com/library/mac/qa/qa1170/_index.html
+    if [ -z "$JAVA_HOME" ]; then
+      if [ -x "/usr/libexec/java_home" ]; then
+        export JAVA_HOME="`/usr/libexec/java_home`"
+      else
+        export JAVA_HOME="/Library/Java/Home"
+      fi
+    fi
+    ;;
+esac
+
+if [ -z "$JAVA_HOME" ] ; then
+  if [ -r /etc/gentoo-release ] ; then
+    JAVA_HOME=`java-config --jre-home`
+  fi
+fi
+
+if [ -z "$M2_HOME" ] ; then
+  ## resolve links - $0 may be a link to maven's home
+  PRG="$0"
+
+  # need this for relative symlinks
+  while [ -h "$PRG" ] ; do
+    ls=`ls -ld "$PRG"`
+    link=`expr "$ls" : '.*-> \(.*\)$'`
+    if expr "$link" : '/.*' > /dev/null; then
+      PRG="$link"
+    else
+      PRG="`dirname "$PRG"`/$link"
+    fi
+  done
+
+  saveddir=`pwd`
+
+  M2_HOME=`dirname "$PRG"`/..
+
+  # make it fully qualified
+  M2_HOME=`cd "$M2_HOME" && pwd`
+
+  cd "$saveddir"
+  # echo Using m2 at $M2_HOME
+fi
+
+# For Cygwin, ensure paths are in UNIX format before anything is touched
+if $cygwin ; then
+  [ -n "$M2_HOME" ] &&
+    M2_HOME=`cygpath --unix "$M2_HOME"`
+  [ -n "$JAVA_HOME" ] &&
+    JAVA_HOME=`cygpath --unix "$JAVA_HOME"`
+  [ -n "$CLASSPATH" ] &&
+    CLASSPATH=`cygpath --path --unix "$CLASSPATH"`
+fi
+
+# For Mingw, ensure paths are in UNIX format before anything is touched
+if $mingw ; then
+  [ -n "$M2_HOME" ] &&
+    M2_HOME="`(cd "$M2_HOME"; pwd)`"
+  [ -n "$JAVA_HOME" ] &&
+    JAVA_HOME="`(cd "$JAVA_HOME"; pwd)`"
+fi
+
+if [ -z "$JAVA_HOME" ]; then
+  javaExecutable="`which javac`"
+  if [ -n "$javaExecutable" ] && ! [ "`expr \"$javaExecutable\" : '\([^ ]*\)'`" = "no" ]; then
+    # readlink(1) is not available as standard on Solaris 10.
+    readLink=`which readlink`
+    if [ ! `expr "$readLink" : '\([^ ]*\)'` = "no" ]; then
+      if $darwin ; then
+        javaHome="`dirname \"$javaExecutable\"`"
+        javaExecutable="`cd \"$javaHome\" && pwd -P`/javac"
+      else
+        javaExecutable="`readlink -f \"$javaExecutable\"`"
+      fi
+      javaHome="`dirname \"$javaExecutable\"`"
+      javaHome=`expr "$javaHome" : '\(.*\)/bin'`
+      JAVA_HOME="$javaHome"
+      export JAVA_HOME
+    fi
+  fi
+fi
+
+if [ -z "$JAVACMD" ] ; then
+  if [ -n "$JAVA_HOME"  ] ; then
+    if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
+      # IBM's JDK on AIX uses strange locations for the executables
+      JAVACMD="$JAVA_HOME/jre/sh/java"
+    else
+      JAVACMD="$JAVA_HOME/bin/java"
+    fi
+  else
+    JAVACMD="`which java`"
+  fi
+fi
+
+if [ ! -x "$JAVACMD" ] ; then
+  echo "Error: JAVA_HOME is not defined correctly." >&2
+  echo "  We cannot execute $JAVACMD" >&2
+  exit 1
+fi
+
+if [ -z "$JAVA_HOME" ] ; then
+  echo "Warning: JAVA_HOME environment variable is not set."
+fi
+
+CLASSWORLDS_LAUNCHER=org.codehaus.plexus.classworlds.launcher.Launcher
+
+# traverses directory structure from process work directory to filesystem root
+# first directory with .mvn subdirectory is considered project base directory
+find_maven_basedir() {
+
+  if [ -z "$1" ]
+  then
+    echo "Path not specified to find_maven_basedir"
+    return 1
+  fi
+
+  basedir="$1"
+  wdir="$1"
+  while [ "$wdir" != '/' ] ; do
+    if [ -d "$wdir"/.mvn ] ; then
+      basedir=$wdir
+      break
+    fi
+    # workaround for JBEAP-8937 (on Solaris 10/Sparc)
+    if [ -d "${wdir}" ]; then
+      wdir=`cd "$wdir/.."; pwd`
+    fi
+    # end of workaround
+  done
+  echo "${basedir}"
+}
+
+# concatenates all lines of a file
+concat_lines() {
+  if [ -f "$1" ]; then
+    echo "$(tr -s '\n' ' ' < "$1")"
+  fi
+}
+
+BASE_DIR=`find_maven_basedir "$(pwd)"`
+if [ -z "$BASE_DIR" ]; then
+  exit 1;
+fi
+
+##########################################################################################
+# Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
+# This allows using the maven wrapper in projects that prohibit checking in binary data.
+##########################################################################################
+if [ -r "$BASE_DIR/.mvn/wrapper/maven-wrapper.jar" ]; then
+    if [ "$MVNW_VERBOSE" = true ]; then
+      echo "Found .mvn/wrapper/maven-wrapper.jar"
+    fi
+else
+    if [ "$MVNW_VERBOSE" = true ]; then
+      echo "Couldn't find .mvn/wrapper/maven-wrapper.jar, downloading it ..."
+    fi
+    if [ -n "$MVNW_REPOURL" ]; then
+      jarUrl="$MVNW_REPOURL/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar"
+    else
+      jarUrl="https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar"
+    fi
+    while IFS="=" read key value; do
+      case "$key" in (wrapperUrl) jarUrl="$value"; break ;;
+      esac
+    done < "$BASE_DIR/.mvn/wrapper/maven-wrapper.properties"
+    if [ "$MVNW_VERBOSE" = true ]; then
+      echo "Downloading from: $jarUrl"
+    fi
+    wrapperJarPath="$BASE_DIR/.mvn/wrapper/maven-wrapper.jar"
+    if $cygwin; then
+      wrapperJarPath=`cygpath --path --windows "$wrapperJarPath"`
+    fi
+
+    if command -v wget > /dev/null; then
+        if [ "$MVNW_VERBOSE" = true ]; then
+          echo "Found wget ... using wget"
+        fi
+        if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then
+            wget "$jarUrl" -O "$wrapperJarPath"
+        else
+            wget --http-user=$MVNW_USERNAME --http-password=$MVNW_PASSWORD "$jarUrl" -O "$wrapperJarPath"
+        fi
+    elif command -v curl > /dev/null; then
+        if [ "$MVNW_VERBOSE" = true ]; then
+          echo "Found curl ... using curl"
+        fi
+        if [ -z "$MVNW_USERNAME" ] || [ -z "$MVNW_PASSWORD" ]; then
+            curl -o "$wrapperJarPath" "$jarUrl" -f
+        else
+            curl --user $MVNW_USERNAME:$MVNW_PASSWORD -o "$wrapperJarPath" "$jarUrl" -f
+        fi
+
+    else
+        if [ "$MVNW_VERBOSE" = true ]; then
+          echo "Falling back to using Java to download"
+        fi
+        javaClass="$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.java"
+        # For Cygwin, switch paths to Windows format before running javac
+        if $cygwin; then
+          javaClass=`cygpath --path --windows "$javaClass"`
+        fi
+        if [ -e "$javaClass" ]; then
+            if [ ! -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then
+                if [ "$MVNW_VERBOSE" = true ]; then
+                  echo " - Compiling MavenWrapperDownloader.java ..."
+                fi
+                # Compiling the Java class
+                ("$JAVA_HOME/bin/javac" "$javaClass")
+            fi
+            if [ -e "$BASE_DIR/.mvn/wrapper/MavenWrapperDownloader.class" ]; then
+                # Running the downloader
+                if [ "$MVNW_VERBOSE" = true ]; then
+                  echo " - Running MavenWrapperDownloader.java ..."
+                fi
+                ("$JAVA_HOME/bin/java" -cp .mvn/wrapper MavenWrapperDownloader "$MAVEN_PROJECTBASEDIR")
+            fi
+        fi
+    fi
+fi
+##########################################################################################
+# End of extension
+##########################################################################################
+
+export MAVEN_PROJECTBASEDIR=${MAVEN_BASEDIR:-"$BASE_DIR"}
+if [ "$MVNW_VERBOSE" = true ]; then
+  echo $MAVEN_PROJECTBASEDIR
+fi
+MAVEN_OPTS="$(concat_lines "$MAVEN_PROJECTBASEDIR/.mvn/jvm.config") $MAVEN_OPTS"
+
+# For Cygwin, switch paths to Windows format before running java
+if $cygwin; then
+  [ -n "$M2_HOME" ] &&
+    M2_HOME=`cygpath --path --windows "$M2_HOME"`
+  [ -n "$JAVA_HOME" ] &&
+    JAVA_HOME=`cygpath --path --windows "$JAVA_HOME"`
+  [ -n "$CLASSPATH" ] &&
+    CLASSPATH=`cygpath --path --windows "$CLASSPATH"`
+  [ -n "$MAVEN_PROJECTBASEDIR" ] &&
+    MAVEN_PROJECTBASEDIR=`cygpath --path --windows "$MAVEN_PROJECTBASEDIR"`
+fi
+
+# Provide a "standardized" way to retrieve the CLI args that will
+# work with both Windows and non-Windows executions.
+MAVEN_CMD_LINE_ARGS="$MAVEN_CONFIG $@"
+export MAVEN_CMD_LINE_ARGS
+
+WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
+
+exec "$JAVACMD" \
+  $MAVEN_OPTS \
+  -classpath "$MAVEN_PROJECTBASEDIR/.mvn/wrapper/maven-wrapper.jar" \
+  "-Dmaven.home=${M2_HOME}" "-Dmaven.multiModuleProjectDirectory=${MAVEN_PROJECTBASEDIR}" \
+  ${WRAPPER_LAUNCHER} $MAVEN_CONFIG "$@"
diff --git a/example/mvnw.cmd b/example/mvnw.cmd
new file mode 100644
index 0000000..c8d4337
--- /dev/null
+++ b/example/mvnw.cmd
@@ -0,0 +1,182 @@
+@REM ----------------------------------------------------------------------------
+@REM Licensed to the Apache Software Foundation (ASF) under one
+@REM or more contributor license agreements.  See the NOTICE file
+@REM distributed with this work for additional information
+@REM regarding copyright ownership.  The ASF licenses this file
+@REM to you under the Apache License, Version 2.0 (the
+@REM "License"); you may not use this file except in compliance
+@REM with the License.  You may obtain a copy of the License at
+@REM
+@REM    https://www.apache.org/licenses/LICENSE-2.0
+@REM
+@REM Unless required by applicable law or agreed to in writing,
+@REM software distributed under the License is distributed on an
+@REM "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+@REM KIND, either express or implied.  See the License for the
+@REM specific language governing permissions and limitations
+@REM under the License.
+@REM ----------------------------------------------------------------------------
+
+@REM ----------------------------------------------------------------------------
+@REM Maven Start Up Batch script
+@REM
+@REM Required ENV vars:
+@REM JAVA_HOME - location of a JDK home dir
+@REM
+@REM Optional ENV vars
+@REM M2_HOME - location of maven2's installed home dir
+@REM MAVEN_BATCH_ECHO - set to 'on' to enable the echoing of the batch commands
+@REM MAVEN_BATCH_PAUSE - set to 'on' to wait for a keystroke before ending
+@REM MAVEN_OPTS - parameters passed to the Java VM when running Maven
+@REM     e.g. to debug Maven itself, use
+@REM set MAVEN_OPTS=-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000
+@REM MAVEN_SKIP_RC - flag to disable loading of mavenrc files
+@REM ----------------------------------------------------------------------------
+
+@REM Begin all REM lines with '@' in case MAVEN_BATCH_ECHO is 'on'
+@echo off
+@REM set title of command window
+title %0
+@REM enable echoing by setting MAVEN_BATCH_ECHO to 'on'
+@if "%MAVEN_BATCH_ECHO%" == "on"  echo %MAVEN_BATCH_ECHO%
+
+@REM set %HOME% to equivalent of $HOME
+if "%HOME%" == "" (set "HOME=%HOMEDRIVE%%HOMEPATH%")
+
+@REM Execute a user defined script before this one
+if not "%MAVEN_SKIP_RC%" == "" goto skipRcPre
+@REM check for pre script, once with legacy .bat ending and once with .cmd ending
+if exist "%HOME%\mavenrc_pre.bat" call "%HOME%\mavenrc_pre.bat"
+if exist "%HOME%\mavenrc_pre.cmd" call "%HOME%\mavenrc_pre.cmd"
+:skipRcPre
+
+@setlocal
+
+set ERROR_CODE=0
+
+@REM To isolate internal variables from possible post scripts, we use another setlocal
+@setlocal
+
+@REM ==== START VALIDATION ====
+if not "%JAVA_HOME%" == "" goto OkJHome
+
+echo.
+echo Error: JAVA_HOME not found in your environment. >&2
+echo Please set the JAVA_HOME variable in your environment to match the >&2
+echo location of your Java installation. >&2
+echo.
+goto error
+
+:OkJHome
+if exist "%JAVA_HOME%\bin\java.exe" goto init
+
+echo.
+echo Error: JAVA_HOME is set to an invalid directory. >&2
+echo JAVA_HOME = "%JAVA_HOME%" >&2
+echo Please set the JAVA_HOME variable in your environment to match the >&2
+echo location of your Java installation. >&2
+echo.
+goto error
+
+@REM ==== END VALIDATION ====
+
+:init
+
+@REM Find the project base dir, i.e. the directory that contains the folder ".mvn".
+@REM Fallback to current working directory if not found.
+
+set MAVEN_PROJECTBASEDIR=%MAVEN_BASEDIR%
+IF NOT "%MAVEN_PROJECTBASEDIR%"=="" goto endDetectBaseDir
+
+set EXEC_DIR=%CD%
+set WDIR=%EXEC_DIR%
+:findBaseDir
+IF EXIST "%WDIR%"\.mvn goto baseDirFound
+cd ..
+IF "%WDIR%"=="%CD%" goto baseDirNotFound
+set WDIR=%CD%
+goto findBaseDir
+
+:baseDirFound
+set MAVEN_PROJECTBASEDIR=%WDIR%
+cd "%EXEC_DIR%"
+goto endDetectBaseDir
+
+:baseDirNotFound
+set MAVEN_PROJECTBASEDIR=%EXEC_DIR%
+cd "%EXEC_DIR%"
+
+:endDetectBaseDir
+
+IF NOT EXIST "%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config" goto endReadAdditionalConfig
+
+@setlocal EnableExtensions EnableDelayedExpansion
+for /F "usebackq delims=" %%a in ("%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config") do set JVM_CONFIG_MAVEN_PROPS=!JVM_CONFIG_MAVEN_PROPS! %%a
+@endlocal & set JVM_CONFIG_MAVEN_PROPS=%JVM_CONFIG_MAVEN_PROPS%
+
+:endReadAdditionalConfig
+
+SET MAVEN_JAVA_EXE="%JAVA_HOME%\bin\java.exe"
+set WRAPPER_JAR="%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.jar"
+set WRAPPER_LAUNCHER=org.apache.maven.wrapper.MavenWrapperMain
+
+set DOWNLOAD_URL="https://repo.maven.apache.org/maven2/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar"
+
+FOR /F "tokens=1,2 delims==" %%A IN ("%MAVEN_PROJECTBASEDIR%\.mvn\wrapper\maven-wrapper.properties") DO (
+    IF "%%A"=="wrapperUrl" SET DOWNLOAD_URL=%%B
+)
+
+@REM Extension to allow automatically downloading the maven-wrapper.jar from Maven-central
+@REM This allows using the maven wrapper in projects that prohibit checking in binary data.
+if exist %WRAPPER_JAR% (
+    if "%MVNW_VERBOSE%" == "true" (
+        echo Found %WRAPPER_JAR%
+    )
+) else (
+    if not "%MVNW_REPOURL%" == "" (
+        SET DOWNLOAD_URL="%MVNW_REPOURL%/io/takari/maven-wrapper/0.5.6/maven-wrapper-0.5.6.jar"
+    )
+    if "%MVNW_VERBOSE%" == "true" (
+        echo Couldn't find %WRAPPER_JAR%, downloading it ...
+        echo Downloading from: %DOWNLOAD_URL%
+    )
+
+    powershell -Command "&{"^
+		"$webclient = new-object System.Net.WebClient;"^
+		"if (-not ([string]::IsNullOrEmpty('%MVNW_USERNAME%') -and [string]::IsNullOrEmpty('%MVNW_PASSWORD%'))) {"^
+		"$webclient.Credentials = new-object System.Net.NetworkCredential('%MVNW_USERNAME%', '%MVNW_PASSWORD%');"^
+		"}"^
+		"[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $webclient.DownloadFile('%DOWNLOAD_URL%', '%WRAPPER_JAR%')"^
+		"}"
+    if "%MVNW_VERBOSE%" == "true" (
+        echo Finished downloading %WRAPPER_JAR%
+    )
+)
+@REM End of extension
+
+@REM Provide a "standardized" way to retrieve the CLI args that will
+@REM work with both Windows and non-Windows executions.
+set MAVEN_CMD_LINE_ARGS=%*
+
+%MAVEN_JAVA_EXE% %JVM_CONFIG_MAVEN_PROPS% %MAVEN_OPTS% %MAVEN_DEBUG_OPTS% -classpath %WRAPPER_JAR% "-Dmaven.multiModuleProjectDirectory=%MAVEN_PROJECTBASEDIR%" %WRAPPER_LAUNCHER% %MAVEN_CONFIG% %*
+if ERRORLEVEL 1 goto error
+goto end
+
+:error
+set ERROR_CODE=1
+
+:end
+@endlocal & set ERROR_CODE=%ERROR_CODE%
+
+if not "%MAVEN_SKIP_RC%" == "" goto skipRcPost
+@REM check for post script, once with legacy .bat ending and once with .cmd ending
+if exist "%HOME%\mavenrc_post.bat" call "%HOME%\mavenrc_post.bat"
+if exist "%HOME%\mavenrc_post.cmd" call "%HOME%\mavenrc_post.cmd"
+:skipRcPost
+
+@REM pause the script if MAVEN_BATCH_PAUSE is set to 'on'
+if "%MAVEN_BATCH_PAUSE%" == "on" pause
+
+if "%MAVEN_TERMINATE_CMD%" == "on" exit %ERROR_CODE%
+
+exit /B %ERROR_CODE%
diff --git a/example/pom.xml b/example/pom.xml
new file mode 100644
index 0000000..d8048c4
--- /dev/null
+++ b/example/pom.xml
@@ -0,0 +1,143 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		 xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<parent>
+		<groupId>org.springframework.boot</groupId>
+		<artifactId>spring-boot-starter-parent</artifactId>
+		<version>2.2.5.RELEASE</version>
+		<relativePath/> <!-- lookup parent from repository -->
+	</parent>
+	<groupId>org.webeid.example</groupId>
+	<artifactId>web-eid-springboot-example</artifactId>
+	<version>1.0.0-SNAPSHOT</version>
+	<name>web-eid-springboot-example</name>
+	<description>Example Spring Boot project that demonstrates how to use Web eID for authentication and digital
+		signing
+	</description>
+
+	<properties>
+		<java.version>1.8</java.version>
+		<maven-surefire-plugin.version>2.22.1</maven-surefire-plugin.version>
+		<jmockit.version>1.44</jmockit.version>
+	</properties>
+
+	<dependencies>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-web</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-thymeleaf</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-security</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-config</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>javax.cache</groupId>
+			<artifactId>cache-api</artifactId>
+			<version>1.1.1</version>
+		</dependency>
+		<dependency>
+			<groupId>com.hazelcast</groupId>
+			<artifactId>hazelcast</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.hibernate.validator</groupId>
+			<artifactId>hibernate-validator</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>com.google.guava</groupId>
+			<artifactId>guava</artifactId>
+			<version>20.0</version>
+		</dependency>
+
+		<dependency>
+			<groupId>org.digidoc4j</groupId>
+			<artifactId>digidoc4j</artifactId>
+			<version>4.0.3</version>
+		</dependency>
+		<dependency>
+			<groupId>org.webeid.security</groupId>
+			<artifactId>authtoken-validation</artifactId>
+			<version>1.0.0-SNAPSHOT</version>
+		</dependency>
+
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-devtools</artifactId>
+			<optional>true</optional>
+		</dependency>
+
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-test</artifactId>
+			<scope>test</scope>
+			<exclusions>
+				<exclusion>
+					<groupId>org.junit.vintage</groupId>
+					<artifactId>junit-vintage-engine</artifactId>
+				</exclusion>
+			</exclusions>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-test</artifactId>
+			<scope>test</scope>
+		</dependency>
+
+		<dependency>
+			<groupId>org.jmockit</groupId>
+			<artifactId>jmockit</artifactId>
+			<version>${jmockit.version}</version>
+			<scope>test</scope>
+		</dependency>
+	</dependencies>
+
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.springframework.boot</groupId>
+				<artifactId>spring-boot-maven-plugin</artifactId>
+			</plugin>
+			<plugin>
+				<artifactId>maven-surefire-plugin</artifactId>
+				<version>${maven-surefire-plugin.version}</version>
+				<configuration>
+					<argLine>
+						-javaagent:${settings.localRepository}/org/jmockit/jmockit/${jmockit.version}/jmockit-${jmockit.version}.jar
+					</argLine>
+					<disableXmlReport>true</disableXmlReport>
+				</configuration>
+			</plugin>
+		</plugins>
+	</build>
+
+	<repositories>
+		<repository>
+			<id>gitlab-maven</id>
+			<url>https://gitlab.com/api/v4/projects/19948337/packages/maven</url>
+		</repository>
+	</repositories>
+
+	<distributionManagement>
+		<repository>
+			<id>gitlab-maven</id>
+			<url>https://gitlab.com/api/v4/projects/19948337/packages/maven</url>
+		</repository>
+
+		<snapshotRepository>
+			<id>gitlab-maven</id>
+			<url>https://gitlab.com/api/v4/projects/19948337/packages/maven</url>
+		</snapshotRepository>
+	</distributionManagement>
+
+</project>
diff --git a/example/src/main/java/org/webeid/example/WebEidSpringbootExampleApplication.java b/example/src/main/java/org/webeid/example/WebEidSpringbootExampleApplication.java
new file mode 100644
index 0000000..12c43dc
--- /dev/null
+++ b/example/src/main/java/org/webeid/example/WebEidSpringbootExampleApplication.java
@@ -0,0 +1,34 @@
+/*
+ * Copyright (c) 2020 The Web eID Project
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package org.webeid.example;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class WebEidSpringbootExampleApplication {
+
+    public static void main(String[] args) {
+        SpringApplication.run(WebEidSpringbootExampleApplication.class, args);
+    }
+}
diff --git a/example/src/main/java/org/webeid/example/config/ApplicationConfiguration.java b/example/src/main/java/org/webeid/example/config/ApplicationConfiguration.java
new file mode 100644
index 0000000..59e088f
--- /dev/null
+++ b/example/src/main/java/org/webeid/example/config/ApplicationConfiguration.java
@@ -0,0 +1,81 @@
+/*
+ * Copyright (c) 2020 The Web eID Project
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package org.webeid.example.config;
+
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler;
+import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+import org.webeid.example.security.AuthTokenDTOAuthenticationProvider;
+import org.webeid.example.security.WebEidAjaxLoginProcessingFilter;
+
+@Configuration
+@EnableWebSecurity
+@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
+public class ApplicationConfiguration extends WebSecurityConfigurerAdapter implements WebMvcConfigurer {
+    final AuthTokenDTOAuthenticationProvider authTokenDTOAuthenticationProvider;
+
+    public ApplicationConfiguration(AuthTokenDTOAuthenticationProvider authTokenDTOAuthenticationProvider) {
+        this.authTokenDTOAuthenticationProvider = authTokenDTOAuthenticationProvider;
+    }
+
+    @Override
+    protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) {
+        authenticationManagerBuilder.authenticationProvider(authTokenDTOAuthenticationProvider);
+    }
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        // @formatter:off
+        http
+            .addFilterBefore(
+                    new WebEidAjaxLoginProcessingFilter("/auth/login", authenticationManager()),
+                    UsernamePasswordAuthenticationFilter.class)
+            .authorizeRequests()
+            .antMatchers("/auth/challenge", "/auth/login", "/")
+            .permitAll()
+            .antMatchers("/welcome")
+            .authenticated()
+         .and()
+            .logout()
+            .logoutUrl("/logout")
+            .deleteCookies("JSESSIONID")
+            .logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler())
+         .and()
+            .csrf()
+            .disable();
+        // @formatter:on
+    }
+
+    public void addViewControllers(ViewControllerRegistry registry) {
+        registry.addViewController("/welcome").setViewName("welcome");
+    }
+
+
+}
diff --git a/example/src/main/java/org/webeid/example/config/ValidationConfiguration.java b/example/src/main/java/org/webeid/example/config/ValidationConfiguration.java
new file mode 100644
index 0000000..dc2ae7e
--- /dev/null
+++ b/example/src/main/java/org/webeid/example/config/ValidationConfiguration.java
@@ -0,0 +1,143 @@
+/*
+ * Copyright (c) 2020 The Web eID Project
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package org.webeid.example.config;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.core.io.Resource;
+import org.springframework.core.io.support.PathMatchingResourcePatternResolver;
+import org.webeid.security.nonce.NonceGenerator;
+import org.webeid.security.nonce.NonceGeneratorBuilder;
+import org.webeid.security.validator.AuthTokenValidator;
+import org.webeid.security.validator.AuthTokenValidatorBuilder;
+
+import javax.cache.Cache;
+import javax.cache.CacheManager;
+import javax.cache.Caching;
+import javax.cache.configuration.CompleteConfiguration;
+import javax.cache.configuration.MutableConfiguration;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URI;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.time.LocalDateTime;
+import java.util.ArrayList;
+import java.util.Enumeration;
+import java.util.List;
+
+@Configuration
+public class ValidationConfiguration {
+
+    private static final Logger LOG = LoggerFactory.getLogger(ValidationConfiguration.class);
+    private static final String CACHE_NAME = "nonceCache";
+
+    @Bean
+    public Cache<String, LocalDateTime> nonceCache() {
+        CacheManager cacheManager = Caching.getCachingProvider().getCacheManager();
+        Cache<String, LocalDateTime> cache = cacheManager.getCache(CACHE_NAME);
+
+        if (cache == null) {
+            CompleteConfiguration<String, LocalDateTime> cacheConfig = new MutableConfiguration<String, LocalDateTime>().setTypes(String.class, LocalDateTime.class);
+            cache = cacheManager.createCache(CACHE_NAME, cacheConfig);
+        }
+        return cache;
+    }
+
+    @Bean
+    public NonceGenerator generator() {
+        return new NonceGeneratorBuilder()
+                .withNonceCache(nonceCache())
+                .build();
+    }
+
+    @Bean
+    public X509Certificate[] trustedCertificateAuthorities() {
+        List<X509Certificate> caCertificates = new ArrayList<>();
+
+        try {
+            CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
+
+            PathMatchingResourcePatternResolver resolver = new PathMatchingResourcePatternResolver();
+            Resource[] resources = resolver.getResources("/certs/*.cer");
+
+            for (Resource resource : resources) {
+                X509Certificate caCertificate = (X509Certificate) certFactory.generateCertificate(resource.getInputStream());
+                caCertificates.add(caCertificate);
+            }
+
+        } catch (CertificateException | IOException e) {
+            LOG.error("Error initializing trusted CA certificates.", e);
+            throw new RuntimeException("Error initializing trusted CA certificates.", e);
+        }
+
+        return caCertificates.toArray(new X509Certificate[0]);
+    }
+
+    @Bean
+    public X509Certificate[] initializeTrustedCACertificatesFromKeyStore() {
+        List<X509Certificate> caCertificates = new ArrayList<>();
+
+        try (InputStream is = ValidationConfiguration.class.getResourceAsStream("/certs/trusted_certificates.jks")) {
+            KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
+            keystore.load(is, yamlConfig().getKeystorePassword().toCharArray());
+            Enumeration<String> aliases = keystore.aliases();
+            while (aliases.hasMoreElements()) {
+                String alias = aliases.nextElement();
+                X509Certificate certificate = (X509Certificate) keystore.getCertificate(alias);
+                caCertificates.add(certificate);
+            }
+        } catch (IOException | CertificateException | KeyStoreException | NoSuchAlgorithmException e) {
+            LOG.error("Error initializing trusted CA certificates from trust store.", e);
+            throw new RuntimeException("Error initializing trusted CA certificates from trust store.", e);
+        }
+
+        return caCertificates.toArray(new X509Certificate[0]);
+    }
+
+
+    @Bean
+    public AuthTokenValidator validator() {
+        return new AuthTokenValidatorBuilder()
+                .withSiteOrigin(URI.create(yamlConfig().getLocalOrigin()))
+                // FIXME: decide what should validation library do when cert fingerprint validation is enabled but fingerprint is null (as in Chrome)
+//                .withSiteCertificateSha256Fingerprint(yamlConfig().getFingerprint())
+                .withNonceCache(nonceCache())
+                .withTrustedCertificateAuthorities(trustedCertificateAuthorities())
+                .withTrustedCertificateAuthorities(initializeTrustedCACertificatesFromKeyStore())
+                // FIXME: investigate why for Idemia test card OcspUtils.ocspUri() -> null so that "User certificate revocation check has failed: The CA/certificate doesn't have an OCSP responder"
+                .withoutUserCertificateRevocationCheckWithOcsp()
+                .build();
+    }
+
+    @Bean
+    public YAMLConfig yamlConfig() {
+        return new YAMLConfig();
+    }
+}
diff --git a/example/src/main/java/org/webeid/example/config/YAMLConfig.java b/example/src/main/java/org/webeid/example/config/YAMLConfig.java
new file mode 100644
index 0000000..d756101
--- /dev/null
+++ b/example/src/main/java/org/webeid/example/config/YAMLConfig.java
@@ -0,0 +1,70 @@
+/*
+ * Copyright (c) 2020 The Web eID Project
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package org.webeid.example.config;
+
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+@EnableConfigurationProperties
+@ConfigurationProperties(prefix = "token.validation")
+public class YAMLConfig {
+
+    private final String FINGERPRINT_PREFIX = "urn:cert:sha-256:";
+
+    @Value("local-origin")
+    private String localOrigin;
+    private String fingerprint;
+
+    @Value("keystore-password")
+    private String keystorePassword;
+
+    public String getLocalOrigin() {
+        return localOrigin;
+    }
+
+    public void setLocalOrigin(String localOrigin) {
+        this.localOrigin = localOrigin;
+    }
+
+    public String getFingerprint() {
+        if(fingerprint != null && !fingerprint.startsWith(FINGERPRINT_PREFIX)) {
+            fingerprint = FINGERPRINT_PREFIX + fingerprint.replace(":", "").toLowerCase();
+        }
+        return fingerprint;
+    }
+
+    public void setFingerprint(String fingerprint) {
+        this.fingerprint = fingerprint;
+    }
+
+    public String getKeystorePassword() {
+        return keystorePassword;
+    }
+
+    public void setKeystorePassword(String keystorePassword) {
+        this.keystorePassword = keystorePassword;
+    }
+}
diff --git a/example/src/main/java/org/webeid/example/security/AuthTokenDTOAuthenticationProvider.java b/example/src/main/java/org/webeid/example/security/AuthTokenDTOAuthenticationProvider.java
new file mode 100644
index 0000000..de22a3c
--- /dev/null
+++ b/example/src/main/java/org/webeid/example/security/AuthTokenDTOAuthenticationProvider.java
@@ -0,0 +1,94 @@
+/*
+ * Copyright (c) 2020 The Web eID Project
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package org.webeid.example.security;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.AuthenticationServiceException;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
+import org.springframework.stereotype.Component;
+import org.webeid.example.security.dto.AuthTokenDTO;
+import org.webeid.security.exceptions.TokenValidationException;
+import org.webeid.security.util.CertUtil;
+import org.webeid.security.validator.AuthTokenValidator;
+
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * Parses JWT from token string inside AuthTokenDTO and attempts authentication.
+ */
+@Component
+public class AuthTokenDTOAuthenticationProvider implements AuthenticationProvider {
+    public static final String ROLE_USER = "ROLE_USER";
+    private static final GrantedAuthority USER_ROLE = new SimpleGrantedAuthority(ROLE_USER);
+
+    private static final Logger LOG = LoggerFactory.getLogger(AuthTokenDTOAuthenticationProvider.class);
+
+    @Autowired
+    private AuthTokenValidator tokenValidator;
+
+    @Override
+    public Authentication authenticate(Authentication auth) throws AuthenticationException {
+        LOG.info("authenticate(): {}", auth);
+
+        final PreAuthenticatedAuthenticationToken authentication = (PreAuthenticatedAuthenticationToken) auth;
+
+        final String token = ((AuthTokenDTO) authentication.getCredentials()).getToken();
+
+        final List<GrantedAuthority> authorities = new ArrayList<>(2);
+        authorities.add(USER_ROLE);
+
+        try {
+            X509Certificate userCertificate = tokenValidator.validate(token);
+            return new PreAuthenticatedAuthenticationToken(getPrincipalFromCertificate(userCertificate), null, authorities);
+        } catch (TokenValidationException e) {
+            LOG.warn("Token validation has failed", e);
+            throw new AuthenticationServiceException("Token validation failed: " + e.getMessage());
+        } catch (CertificateEncodingException e) {
+            LOG.warn("Failed to extract subject fields from certificate", e);
+            throw new AuthenticationServiceException("Incorrect certificate subject fields: " + e.getMessage());
+        }
+    }
+
+    @Override
+    public boolean supports(Class<?> authentication) {
+        LOG.info("supports(): {}", authentication);
+        return PreAuthenticatedAuthenticationToken.class.equals(authentication);
+    }
+
+    // FIXME: create a proper principal object
+    private String getPrincipalFromCertificate(X509Certificate userCertificate) throws CertificateEncodingException {
+        return CertUtil.getSubjectGivenName(userCertificate) + ' ' +
+                CertUtil.getSubjectSurname(userCertificate) + ", " +
+                CertUtil.getSubjectIdCode(userCertificate);
+    }
+}
diff --git a/example/src/main/java/org/webeid/example/security/WebEidAjaxLoginProcessingFilter.java b/example/src/main/java/org/webeid/example/security/WebEidAjaxLoginProcessingFilter.java
new file mode 100644
index 0000000..b78b54f
--- /dev/null
+++ b/example/src/main/java/org/webeid/example/security/WebEidAjaxLoginProcessingFilter.java
@@ -0,0 +1,76 @@
+/*
+ * Copyright (c) 2020 The Web eID Project
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package org.webeid.example.security;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import java.io.IOException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.AuthenticationServiceException;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
+import org.webeid.example.security.ajax.AjaxAuthenticationFailureHandler;
+import org.webeid.example.security.ajax.AjaxAuthenticationSuccessHandler;
+import org.webeid.example.security.dto.AuthTokenDTO;
+
+public class WebEidAjaxLoginProcessingFilter extends AbstractAuthenticationProcessingFilter {
+    private static final Logger LOG = LoggerFactory.getLogger(WebEidAjaxLoginProcessingFilter.class);
+
+    public WebEidAjaxLoginProcessingFilter(
+        String defaultFilterProcessesUrl,
+        AuthenticationManager authenticationManager
+    ) {
+        super(defaultFilterProcessesUrl);
+        this.setAuthenticationManager(authenticationManager);
+        this.setAuthenticationSuccessHandler(new AjaxAuthenticationSuccessHandler());
+        this.setAuthenticationFailureHandler(new AjaxAuthenticationFailureHandler());
+    }
+
+    @Override
+    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
+        throws AuthenticationException, IOException {
+        if (!HttpMethod.POST.name().equals(request.getMethod())) {
+            LOG.warn("HttpMethod not supported: {}", request.getMethod());
+            throw new AuthenticationServiceException("HttpMethod not supported: " + request.getMethod());
+        }
+        final String contentType = request.getHeader("Content-type");
+        if (contentType == null || !contentType.startsWith("application/json")) {
+            LOG.warn("Content type not supported: {}", contentType);
+            throw new AuthenticationServiceException("Content type not supported: " + contentType);
+        }
+
+        LOG.info("attemptAuthentication(): Reading request body");
+        final ObjectMapper objectMapper = new ObjectMapper();
+        final AuthTokenDTO authTokenDTO = objectMapper.readValue(request.getReader(), AuthTokenDTO.class);
+        LOG.info("attemptAuthentication(): Creating token");
+        final PreAuthenticatedAuthenticationToken token = new PreAuthenticatedAuthenticationToken(null, authTokenDTO);
+        LOG.info("attemptAuthentication(): Calling authentication manager");
+        return getAuthenticationManager().authenticate(token);
+    }
+}
diff --git a/example/src/main/java/org/webeid/example/security/ajax/AjaxAuthenticationFailureHandler.java b/example/src/main/java/org/webeid/example/security/ajax/AjaxAuthenticationFailureHandler.java
new file mode 100644
index 0000000..d173206
--- /dev/null
+++ b/example/src/main/java/org/webeid/example/security/ajax/AjaxAuthenticationFailureHandler.java
@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 2020 The Web eID Project
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package org.webeid.example.security.ajax;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+import java.io.IOException;
+
+public class AjaxAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {
+    private static final Logger LOG = LoggerFactory.getLogger(AjaxAuthenticationFailureHandler.class);
+
+    public static final String AUTHENTICATION_FAILED = "Authentication failed: ";
+
+    @Override
+    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response,
+                                        AuthenticationException exception) throws IOException {
+        final String message = AUTHENTICATION_FAILED + exception.getMessage();
+        LOG.warn("onAuthenticationFailure(): exception {}, returning {} {}",
+                exception,
+                HttpServletResponse.SC_UNAUTHORIZED,
+                message);
+        final HttpSession session = request.getSession(false);
+        if (session != null) {
+            LOG.info("Invalidating session");
+            session.invalidate();
+        }
+        response.sendError(HttpServletResponse.SC_UNAUTHORIZED, message);
+    }
+}
diff --git a/example/src/main/java/org/webeid/example/security/ajax/AjaxAuthenticationSuccessHandler.java b/example/src/main/java/org/webeid/example/security/ajax/AjaxAuthenticationSuccessHandler.java
new file mode 100644
index 0000000..2d2ccc7
--- /dev/null
+++ b/example/src/main/java/org/webeid/example/security/ajax/AjaxAuthenticationSuccessHandler.java
@@ -0,0 +1,86 @@
+/*
+ * Copyright (c) 2020 The Web eID Project
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package org.webeid.example.security.ajax;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import java.io.IOException;
+import java.util.Collection;
+import java.util.List;
+import java.util.stream.Collectors;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler;
+import org.springframework.stereotype.Component;
+
+/**
+ * Write custom response on having user successfully authenticated.
+ * <p>
+ * This is not required in production application, but to demonstrate that
+ * authentication and authorization steps have been passed.
+ */
+@Component
+public class AjaxAuthenticationSuccessHandler extends SimpleUrlAuthenticationSuccessHandler {
+    private static final Logger LOG = LoggerFactory.getLogger(AjaxAuthenticationSuccessHandler.class);
+
+    @Override
+    public void onAuthenticationSuccess(
+        HttpServletRequest request,
+        HttpServletResponse response,
+        Authentication authentication
+    )
+        throws IOException {
+        LOG.info("onAuthenticationSuccess(): {}", authentication);
+
+        response.setStatus(HttpServletResponse.SC_OK);
+        response.setHeader("Content-Type", "application/json; charset=utf-8");
+
+        response.getWriter().write(AuthSuccessDTO.asJson(authentication));
+    }
+
+    public static class AuthSuccessDTO {
+        private final ObjectMapper objectMapper = new ObjectMapper();
+
+        @JsonProperty("sub")
+        private String sub;
+
+        @JsonProperty("auth")
+        private List<String> auth;
+
+        public static String asJson(Authentication authentication) throws JsonProcessingException {
+            final AuthSuccessDTO dto = new AuthSuccessDTO();
+            dto.sub = authentication.getName();
+            dto.auth = convertAuthorities(authentication.getAuthorities());
+            return dto.objectMapper.writeValueAsString(dto);
+        }
+
+        private static List<String> convertAuthorities(Collection<? extends GrantedAuthority> authorities) {
+            return authorities.stream().map(GrantedAuthority::toString).collect(Collectors.toList());
+        }
+    }
+}
diff --git a/example/src/main/java/org/webeid/example/security/dto/AuthTokenDTO.java b/example/src/main/java/org/webeid/example/security/dto/AuthTokenDTO.java
new file mode 100644
index 0000000..7235404
--- /dev/null
+++ b/example/src/main/java/org/webeid/example/security/dto/AuthTokenDTO.java
@@ -0,0 +1,38 @@
+/*
+ * Copyright (c) 2020 The Web eID Project
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package org.webeid.example.security.dto;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+public class AuthTokenDTO {
+    @JsonProperty("auth-token")
+    private String token;
+
+    public String getToken() {
+        return token;
+    }
+
+    public void setToken(String token) {
+        this.token = token;
+    }
+}
diff --git a/example/src/main/java/org/webeid/example/service/SigningService.java b/example/src/main/java/org/webeid/example/service/SigningService.java
new file mode 100644
index 0000000..e790204
--- /dev/null
+++ b/example/src/main/java/org/webeid/example/service/SigningService.java
@@ -0,0 +1,176 @@
+/*
+ * Copyright (c) 2020 The Web eID Project
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package org.webeid.example.service;
+
+import com.google.common.io.ByteStreams;
+import org.apache.commons.io.FilenameUtils;
+import org.digidoc4j.*;
+import org.digidoc4j.utils.TokenAlgorithmSupport;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.ObjectFactory;
+import org.springframework.core.io.ByteArrayResource;
+import org.springframework.stereotype.Service;
+import org.webeid.example.service.dto.CertificateDTO;
+import org.webeid.example.service.dto.DigestDTO;
+import org.webeid.example.service.dto.FileDTO;
+import org.webeid.example.service.dto.SignatureDTO;
+import org.webeid.example.web.rest.SigningController;
+
+import javax.servlet.http.HttpSession;
+import javax.xml.bind.DatatypeConverter;
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.Base64;
+import java.util.Objects;
+
+@Service
+public class SigningService {
+
+    private static final String SESSION_ATTR_FILE = "file-to-sign";
+    private static final String SESSION_ATTR_CONTAINER = "container-to-sign";
+    private static final String SESSION_ATTR_DATA = "data-to-sign";
+    private static final Logger LOG = LoggerFactory.getLogger(SigningController.class);
+    private final Configuration signingConfiguration;
+
+    ObjectFactory<HttpSession> httpSessionFactory;
+
+    public SigningService(ObjectFactory<HttpSession> httpSessionFactory) {
+        // FIXME: use PROD conf + real OCSP (with IP whitelisting)
+        this.signingConfiguration = Configuration.of(Configuration.Mode.TEST);
+        this.httpSessionFactory = httpSessionFactory;
+    }
+
+    private HttpSession currentSession() {
+        return httpSessionFactory.getObject();
+    }
+
+    /**
+     * Creates a {@link Container} using given name and files.
+     *
+     * @param fileDTO container file
+     * @return new {@link Container} instance
+     */
+    public FileDTO createContainer(FileDTO fileDTO) {
+
+        LOG.info("Creating container for file '{}'", fileDTO.getName());
+        ContainerBuilder builder = ContainerBuilder.aContainer(Container.DocumentType.ASICE);
+
+        byte[] fileBytes = Base64.getDecoder().decode(fileDTO.getBase64String().getBytes(StandardCharsets.UTF_8));
+        DataFile dataFile = new DataFile(fileBytes, fileDTO.getName(), fileDTO.getContentType());
+        builder.withDataFile(dataFile);
+
+        LOG.info("Successfully created container '{}'", fileDTO.getName());
+        Container containerToSign = builder.withConfiguration(signingConfiguration).build();
+
+        currentSession().setAttribute(SESSION_ATTR_CONTAINER, containerToSign);
+        currentSession().setAttribute(SESSION_ATTR_FILE, fileDTO);
+
+        FileDTO newFileDTO = new FileDTO();
+        newFileDTO.setName(fileDTO.getName());
+
+        return newFileDTO;
+    }
+
+    /**
+     * Prepares given container {@link Container} for the signature process.
+     *
+     * @param certificateDTO user's X.509 certificate
+     * @return data to be signed
+     */
+    public DigestDTO prepareContainer(CertificateDTO certificateDTO) throws CertificateException, NoSuchAlgorithmException {
+        X509Certificate certificate = certificateDTO.toX509Certificate();
+        FileDTO fileDTO = (FileDTO) Objects.requireNonNull(currentSession().getAttribute(SESSION_ATTR_FILE));
+        Container containerToPrepare = (Container) Objects.requireNonNull(currentSession().getAttribute(SESSION_ATTR_CONTAINER));
+
+        String containerName = generateContainerName(fileDTO.getName());
+        LOG.info("Preparing container for signing for file '{}'", containerName);
+
+        DataToSign dataToSign = SignatureBuilder.
+                aSignature(containerToPrepare).
+                withSigningCertificate(certificate).
+                withSignatureDigestAlgorithm(TokenAlgorithmSupport.determineSignatureDigestAlgorithm(certificate)).
+                buildDataToSign();
+
+        currentSession().setAttribute(SESSION_ATTR_DATA, dataToSign);
+
+        LOG.info("Successfully prepared container for signing for file '{}'", containerName);
+
+        final String digestAlgorithm = certificateDTO.getSupportedAlgorithmNames().contains("SHA384") ?
+                "SHA-384" : "SHA-256";
+
+        final byte[] digest = MessageDigest.getInstance(digestAlgorithm).digest(dataToSign.getDataToSign());
+
+        DigestDTO digestDTO = new DigestDTO();
+        digestDTO.setHash(DatatypeConverter.printBase64Binary(digest));
+        digestDTO.setAlgorithm(digestAlgorithm);
+
+        return digestDTO;
+    }
+
+    /**
+     * Signs a {@link Container} using given {@link SignatureDTO}.
+     * Container to sign is taken from the current session.
+     *
+     * @param signatureDTO signature DTO
+     * @return fileDTO
+     */
+    public FileDTO signContainer(SignatureDTO signatureDTO) {
+        try {
+            FileDTO fileDTO = (FileDTO) Objects.requireNonNull(currentSession().getAttribute(SESSION_ATTR_FILE));
+            Container containerToSign = (Container) Objects.requireNonNull(currentSession().getAttribute(SESSION_ATTR_CONTAINER));
+            DataToSign dataToSign = (DataToSign) Objects.requireNonNull(currentSession().getAttribute(SESSION_ATTR_DATA));
+
+            byte[] signatureBytes = DatatypeConverter.parseBase64Binary(signatureDTO.getBase64Signature());
+            Signature signature = dataToSign.finalize(signatureBytes);
+            containerToSign.addSignature(signature);
+            currentSession().setAttribute(SESSION_ATTR_CONTAINER, containerToSign);
+
+            FileDTO result = new FileDTO();
+            result.setName(generateContainerName(fileDTO.getName()));
+            return result;
+        } catch (Exception ex) {
+            LOG.error("Signing of container caused an error", ex);
+            throw new RuntimeException("Signing of container caused an error");
+        }
+    }
+
+    private String generateContainerName(String fileName) {
+        return FilenameUtils.removeExtension(fileName) + ".asice";
+    }
+
+
+    public String getContainerName() {
+        FileDTO fileDTO = (FileDTO) Objects.requireNonNull(currentSession().getAttribute(SESSION_ATTR_FILE));
+        return generateContainerName(fileDTO.getName());
+    }
+
+    public ByteArrayResource getSignedContainerAsResource() throws IOException {
+        Container signedContainer = (Container) Objects.requireNonNull(currentSession().getAttribute(SESSION_ATTR_CONTAINER));
+        return new ByteArrayResource(ByteStreams.toByteArray(signedContainer.saveAsStream()));
+    }
+}
diff --git a/example/src/main/java/org/webeid/example/service/dto/CertificateDTO.java b/example/src/main/java/org/webeid/example/service/dto/CertificateDTO.java
new file mode 100644
index 0000000..0f81e39
--- /dev/null
+++ b/example/src/main/java/org/webeid/example/service/dto/CertificateDTO.java
@@ -0,0 +1,75 @@
+/*
+ * Copyright (c) 2020 The Web eID Project
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package org.webeid.example.service.dto;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.io.ByteArrayInputStream;
+import java.io.InputStream;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Base64;
+import java.util.List;
+import java.util.stream.Collectors;
+
+public class CertificateDTO {
+
+    @JsonProperty("certificate")
+    private String base64String;
+
+    @JsonProperty("supported-signature-algos")
+    private List<SignatureAlgorithmDTO> supportedSignatureAlgorithms;
+
+    public String getBase64String() {
+        return base64String;
+    }
+
+    public void setBase64String(String base64String) {
+        this.base64String = base64String;
+    }
+
+    public List<SignatureAlgorithmDTO> getSupportedSignatureAlgorithms() {
+        return supportedSignatureAlgorithms;
+    }
+
+    public void setSupportedSignatureAlgorithms(List<SignatureAlgorithmDTO> supportedSignatureAlgorithms) {
+        this.supportedSignatureAlgorithms = supportedSignatureAlgorithms;
+    }
+
+    public X509Certificate toX509Certificate() throws CertificateException {
+        byte[] certificateBytes = Base64.getDecoder().decode(base64String);
+        InputStream inStream = new ByteArrayInputStream(certificateBytes);
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+        return (X509Certificate) cf.generateCertificate(inStream);
+    }
+
+    public List<String> getSupportedAlgorithmNames() {
+        return supportedSignatureAlgorithms == null ? new ArrayList<>() : supportedSignatureAlgorithms
+                .stream()
+                .map(SignatureAlgorithmDTO::getHashAlgorithm)
+                .distinct()
+                .collect(Collectors.toList());
+    }
+}
diff --git a/example/src/main/java/org/webeid/example/service/dto/ChallengeDTO.java b/example/src/main/java/org/webeid/example/service/dto/ChallengeDTO.java
new file mode 100644
index 0000000..e0fd24b
--- /dev/null
+++ b/example/src/main/java/org/webeid/example/service/dto/ChallengeDTO.java
@@ -0,0 +1,35 @@
+/*
+ * Copyright (c) 2020 The Web eID Project
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package org.webeid.example.service.dto;
+
+public class ChallengeDTO {
+    private String nonce;
+
+    public String getNonce() {
+        return nonce;
+    }
+
+    public void setNonce(String nonce) {
+        this.nonce = nonce;
+    }
+}
diff --git a/example/src/main/java/org/webeid/example/service/dto/DigestDTO.java b/example/src/main/java/org/webeid/example/service/dto/DigestDTO.java
new file mode 100644
index 0000000..dbb3e6f
--- /dev/null
+++ b/example/src/main/java/org/webeid/example/service/dto/DigestDTO.java
@@ -0,0 +1,44 @@
+/*
+ * Copyright (c) 2020 The Web eID Project
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package org.webeid.example.service.dto;
+
+public class DigestDTO {
+    private String hash;
+    private String algorithm;
+
+    public String getHash() {
+        return hash;
+    }
+
+    public void setHash(String hash) {
+        this.hash = hash;
+    }
+
+    public String getAlgorithm() {
+        return algorithm;
+    }
+
+    public void setAlgorithm(String algorithm) {
+        this.algorithm = algorithm;
+    }
+}
diff --git a/example/src/main/java/org/webeid/example/service/dto/FileDTO.java b/example/src/main/java/org/webeid/example/service/dto/FileDTO.java
new file mode 100644
index 0000000..09c82de
--- /dev/null
+++ b/example/src/main/java/org/webeid/example/service/dto/FileDTO.java
@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 2020 The Web eID Project
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package org.webeid.example.service.dto;
+
+import org.springframework.web.multipart.MultipartFile;
+
+import java.io.IOException;
+import java.util.Base64;
+import java.util.Objects;
+
+public class FileDTO {
+    private String name;
+    private String base64String;
+    private String contentType;
+
+    public static FileDTO fromMultipartFile(MultipartFile file) throws IOException {
+        FileDTO dto = new FileDTO();
+        dto.name = Objects.requireNonNull(file.getOriginalFilename());
+        dto.contentType = Objects.requireNonNull(file.getContentType());
+        dto.base64String = Base64.getEncoder().encodeToString(Objects.requireNonNull(file.getBytes()));
+        return dto;
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    public String getBase64String() {
+        return base64String;
+    }
+
+    public void setBase64String(String base64String) {
+        this.base64String = base64String;
+    }
+
+    public String getContentType() {
+        return contentType;
+    }
+
+    public void setContentType(String contentType) {
+        this.contentType = contentType;
+    }
+}
diff --git a/example/src/main/java/org/webeid/example/service/dto/SignatureAlgorithmDTO.java b/example/src/main/java/org/webeid/example/service/dto/SignatureAlgorithmDTO.java
new file mode 100644
index 0000000..31373de
--- /dev/null
+++ b/example/src/main/java/org/webeid/example/service/dto/SignatureAlgorithmDTO.java
@@ -0,0 +1,61 @@
+/*
+ * Copyright (c) 2020 The Web eID Project
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package org.webeid.example.service.dto;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+public class SignatureAlgorithmDTO {
+
+    @JsonProperty("crypto-algo")
+    private String cryptoAlgorithm;
+
+    @JsonProperty("hash-algo")
+    private String hashAlgorithm;
+
+    @JsonProperty("padding-algo")
+    private String paddingAlgorithm;
+
+    public String getCryptoAlgorithm() {
+        return cryptoAlgorithm;
+    }
+
+    public void setCryptoAlgorithm(String cryptoAlgorithm) {
+        this.cryptoAlgorithm = cryptoAlgorithm;
+    }
+
+    public String getHashAlgorithm() {
+        return hashAlgorithm;
+    }
+
+    public void setHashAlgorithm(String hashAlgorithm) {
+        this.hashAlgorithm = hashAlgorithm;
+    }
+
+    public String getPaddingAlgorithm() {
+        return paddingAlgorithm;
+    }
+
+    public void setPaddingAlgorithm(String paddingAlgorithm) {
+        this.paddingAlgorithm = paddingAlgorithm;
+    }
+}
diff --git a/example/src/main/java/org/webeid/example/service/dto/SignatureDTO.java b/example/src/main/java/org/webeid/example/service/dto/SignatureDTO.java
new file mode 100644
index 0000000..5253a48
--- /dev/null
+++ b/example/src/main/java/org/webeid/example/service/dto/SignatureDTO.java
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 2020 The Web eID Project
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package org.webeid.example.service.dto;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+public class SignatureDTO {
+    private String hash;
+    private String algorithm;
+
+    @JsonProperty("signature")
+    private String base64Signature;
+
+    public String getHash() {
+        return hash;
+    }
+
+    public void setHash(String hash) {
+        this.hash = hash;
+    }
+
+    public String getAlgorithm() {
+        return algorithm;
+    }
+
+    public void setAlgorithm(String algorithm) {
+        this.algorithm = algorithm;
+    }
+
+    public String getBase64Signature() {
+        return base64Signature;
+    }
+
+    public void setBase64Signature(String base64Signature) {
+        this.base64Signature = base64Signature;
+    }
+}
diff --git a/example/src/main/java/org/webeid/example/web/WelcomeController.java b/example/src/main/java/org/webeid/example/web/WelcomeController.java
new file mode 100644
index 0000000..66d34d3
--- /dev/null
+++ b/example/src/main/java/org/webeid/example/web/WelcomeController.java
@@ -0,0 +1,47 @@
+/*
+ * Copyright (c) 2020 The Web eID Project
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package org.webeid.example.web;
+
+import static org.webeid.example.security.AuthTokenDTOAuthenticationProvider.ROLE_USER;
+
+import java.security.Principal;
+import javax.validation.constraints.NotNull;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.stereotype.Controller;
+import org.springframework.ui.Model;
+import org.springframework.web.bind.annotation.GetMapping;
+
+@Controller
+public class WelcomeController {
+    private static final Logger LOG = LoggerFactory.getLogger(WelcomeController.class);
+
+    @PreAuthorize("hasAuthority('" + ROLE_USER + "')")
+    @GetMapping("welcome")
+    public String welcome(Model model, @NotNull Principal principal) {
+        LOG.info("Showing welcome page, logged in as principal={}", principal.getName());
+        model.addAttribute("principalName", principal.getName());
+        return "welcome";
+    }
+}
diff --git a/example/src/main/java/org/webeid/example/web/rest/ChallengeController.java b/example/src/main/java/org/webeid/example/web/rest/ChallengeController.java
new file mode 100644
index 0000000..602a11d
--- /dev/null
+++ b/example/src/main/java/org/webeid/example/web/rest/ChallengeController.java
@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 2020 The Web eID Project
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package org.webeid.example.web.rest;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+import org.webeid.example.service.dto.ChallengeDTO;
+import org.webeid.security.nonce.NonceGenerator;
+
+@RestController
+@RequestMapping("auth")
+public class ChallengeController {
+
+    private final NonceGenerator nonceGenerator;
+
+    public ChallengeController(NonceGenerator nonceGenerator) {
+        this.nonceGenerator = nonceGenerator;
+    }
+
+    @GetMapping("challenge")
+    public ChallengeDTO challenge() {
+        final ChallengeDTO challenge = new ChallengeDTO();
+        challenge.setNonce(nonceGenerator.generateAndStoreNonce());
+        return challenge;
+    }
+}
diff --git a/example/src/main/java/org/webeid/example/web/rest/SigningController.java b/example/src/main/java/org/webeid/example/web/rest/SigningController.java
new file mode 100644
index 0000000..c049630
--- /dev/null
+++ b/example/src/main/java/org/webeid/example/web/rest/SigningController.java
@@ -0,0 +1,75 @@
+/*
+ * Copyright (c) 2020 The Web eID Project
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package org.webeid.example.web.rest;
+
+import org.springframework.core.io.ByteArrayResource;
+import org.springframework.core.io.Resource;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.*;
+import org.springframework.web.multipart.MultipartFile;
+import org.webeid.example.service.SigningService;
+import org.webeid.example.service.dto.CertificateDTO;
+import org.webeid.example.service.dto.DigestDTO;
+import org.webeid.example.service.dto.FileDTO;
+import org.webeid.example.service.dto.SignatureDTO;
+
+import java.io.IOException;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+
+@RestController
+@RequestMapping("sign")
+public class SigningController {
+
+    private final SigningService signingService;
+
+    public SigningController(SigningService signingService) {
+        this.signingService = signingService;
+    }
+
+    @PostMapping(value = "upload", produces = "application/json")
+    public FileDTO upload(@RequestParam("file") MultipartFile multipartFile) throws IOException {
+        return signingService.createContainer(FileDTO.fromMultipartFile(multipartFile));
+    }
+
+    @PostMapping("prepare")
+    public DigestDTO prepare(@RequestBody CertificateDTO data) throws CertificateException, NoSuchAlgorithmException {
+        return signingService.prepareContainer(data);
+    }
+
+    @PostMapping("sign")
+    public FileDTO sign(@RequestBody SignatureDTO data) {
+        return signingService.signContainer(data);
+    }
+
+    @GetMapping(value = "download", produces = "application/vnd.etsi.asic-e+zip")
+    public ResponseEntity<Resource> download() throws IOException {
+
+        ByteArrayResource resource = signingService.getSignedContainerAsResource();
+        return ResponseEntity.ok()
+                .contentLength(resource.contentLength())
+                .header(HttpHeaders.CONTENT_DISPOSITION, "attachment; filename=" + signingService.getContainerName())
+                .body(resource);
+    }
+}
diff --git a/example/src/main/resources/application.properties b/example/src/main/resources/application.properties
new file mode 100644
index 0000000..cbb42d2
--- /dev/null
+++ b/example/src/main/resources/application.properties
@@ -0,0 +1 @@
+spring.profiles.active=dev
diff --git a/example/src/main/resources/application.yaml b/example/src/main/resources/application.yaml
new file mode 100644
index 0000000..ba1e78c
--- /dev/null
+++ b/example/src/main/resources/application.yaml
@@ -0,0 +1,11 @@
+spring:
+  profiles: dev
+  servlet:
+    multipart:
+      max-file-size: 5000KB
+      max-request-size: 5000KB
+token:
+  validation:
+    local-origin: "https://web-eid.eu"
+    fingerprint: "11:D8:AE:60:EC:19:10:C7:94:D7:4C:82:C8:0D:96:B2:07:88:B5:6A:D2:65:FF:F9:B5:14:C8:75:F7:90:08:E1"
+    keystore-password: "changeit"
diff --git a/example/src/main/resources/certs/ESTEID-SK_2015.cer b/example/src/main/resources/certs/ESTEID-SK_2015.cer
new file mode 100644
index 0000000000000000000000000000000000000000..b16695560fd7f7498f20dedd8ac67098f6eeee57
GIT binary patch
literal 1652
zcmXqLVk<CcVvSh9%*4pVB;e}7$=yEZy<%9=n#=ccq@xXZ**LY@JlekVGBWb8G8mK^
zavN~6F^96S2{XC68Y&qmfH+({l8(U&!Kp<hnQ56N#i^-9nYo$8*{Q|ZrNxFC25KNR
z%sle0t_sc&HOYx3nfZA@US3I2szOkHeu;v!qoIU>7~D2aMlsHU>`aH^Y`xS}0|jwj
zLsLT|LvuqTV+#}GC<%Te17ib_fRVAOrKx3<K{DwM6E_eAIV_Qf&o3m%)m7Kfz}&>#
zz|hzbD#6Ud=NcU1>gl2z?5$vAU}$R4#H55AAdIXG%uP)E3_x)%rY0svhD(jVu3Y$-
zdv)*Rlc$-Z+A{VrzWXzG;oX))^Dp^`Io@Z~RhZCS=H;?cUo-Y&lG_^QuoG;OyZ1TY
z&s`VxQ>X7!_pTEYrSzX%f6IEM*H+bX4M&76M}F!Q1#6Zl*>x_bA4KU)e5SWd!23qP
zUT&sj9i88z`6i*7+Fow_>y%EOnrrkR^<U|#yPw{r%_?A%6%~t4dsLDAKV*yhm5XY#
zS_9IKt#9u7V<VT#=ietD^w@(b;Eo#i_Vdo&C*<GM`DmJD<gdGPis8JI_R`Q*-8{$s
z{mHI+e4fceydq#;;=lPZyV=gSF4}j@HE%}Qk`qVt-mRH-(=qk~+ue`rA6M624SiIs
zbMfz!pJfN?&P0n{J9zbXaIf9|Rp%H!a@5Y5^=d`R^%F|#XYXqJUcoO{{q&{EqJZ^p
zv!r$|Y~py&ByK%>xyWPr3-vOBNkXD#Lh-*2P4$x$Xx&sBFWoh{-1IZgvIBe5mKc1o
zY3y7Ttz-CNoqCgT7GrdSOPh(Q>?3uxOCrJ_G$&MgZk60RkF{HF#Sb6H`f7&&@0dwf
zPp34UYA}8ywRHub`R|7^otx`Uh?~ykHcRW;Q{?ZX?RMyhv0RXg$oZvl4p~)SI{Tb<
z8$4b$`Ml@aQm!+eJD<d8cW2eb+U4$fFyDRVszph9i(f3dlb)OsRB%D`HDg#X%k1aJ
zvoj{Xiaa3NR`Sx3iJ6gsaWOD808<2;fjlsE$ttq|Q+0!g(5EQ7S79>y&$6xg_)+!b
zO7ANoGYw=x3iw#WSVT6j?$|T)YSNNcEsnEWWQ(kui`)YZ_(0P9jEw(TSb&+6&7d5_
zS70eH$TQ$zV`E|HuVQ2ZW=3`vhVC~GK&Am3r#2fS3*$L?Mn(f=14T9tAeWVuorzIQ
zG^3=Xpx8=Zzr4I$51gg+odbdmxDh&-kU7lA92Ns1kj26vhj19M0V!ZgH*f@r$+1`&
zSS&O%U;$<fB?GQ@4hASNP-<6zv2oD`>L4RjSriQ9U@m3mgtM67EEa<r7@Lt1?0W?m
z-+-}A1mrWI$MTbl3t&ETH1L9}U~032sz7)>8CVDv>$|$fqm)KK9;h^m2bD(g&W?I1
zsYQCpMI{EdAZN<6m>HND7%ebZpx35@VPH{eL4I*&Nq$kKesWPxv3_c5a&l2}B2aq{
za(MwPK$)8u85v5#c#_QReYI~LUOw&9aV`Hi;jMq~KKb|XU2x?R9jl3!XIVo0ZYv(S
z&p2Op@<RUXCf%CVj}78-=U>V?mgOcP?e^&Swgg`8Lk9Lwc8aMT*f_WD$n`_=Ts!uy
z^C+wf{uaFH+$!mv8#xO1CVihh;a)`luN!XPYX3c|U8ml7TE^l~-|g$S%5Hpp!sL4X
zx$eIe>(5o)ubH-n<NHp|HkEDX1tZ-2=f-Z^Jge1xUe67!Y{^Vj{e{iG^6|M#^$zOZ
zR_MO8GVcp_{+ta8r}pl;`!7HB{kio<=Mv9|T{@w@Kz?_`$z==v+z@3DJ^kp}k97OP
a*7^5-xW|ieyh<?TzRuIX?f)?k)29Gp97B)*

literal 0
HcmV?d00001

diff --git a/example/src/main/resources/certs/ESTEID2018.cer b/example/src/main/resources/certs/ESTEID2018.cer
new file mode 100644
index 0000000000000000000000000000000000000000..6200181ffbe32047257a19c847ed230d095e953b
GIT binary patch
literal 1371
zcmXqLVhuNFV%f2PnTe5!NubpI*BX%$@9yZuX;=QGg}yc5V&l+i^EhYA!pve2Wyo#7
z$;KSY!Y0h*>S`!$APM4d@dyQbD|osn1n1|JmSpDV6)QLf8;To<f+Q1p`20eGTwQey
z4a`l<4GfJ9MGb^O63je2KvDPnGG|94149b~IdNVfX=!8t#70IIQR2MD#s-!KrUsUV
zh6ct_1`*V-Ti8GlVmFs-aEPm?3)tqy*#-h^>|jqaF|x60H?lA&GdH#|urMCCkj#JU
zb<wu@>xl}#{4EZD8=UiQ7|m7nS=nAVC+d`}>%&(UQ<|iY@8C_jVX|U&gv&Fph3r#v
zmY6TgXKhvyo)F2{r~Fs<j(1GKHsy+QN52dAmzzqbE|Oky#eFG<DBHyF%TnHctlQq4
z@-Py$;VB3co8FLd^?Rk4^CO0xML%-1U0j70H!;f^G%-sW$O9cNtIQ%{Al4vKry2I#
zWKxA+`NMoYW33s52mhMPH;@G>;A0VE5xKdh;C6i7z9~NzJlW^I=z_`GSz1B{d?0Cl
zM#ldvEWns%GY|stg+Y7{12!PV#K>UK#CR4Ys=(63cm&8fV8Fq~#=_8F#mEGVc6Jtq
z?l%rVrV$&rHX9=gWAj8sMn*;hWdlVv4xj)lD?1aTm}o{xNkOrdzJ7Umxn6O$UTUho
zb3m{GFR~scByK&(2ozaXR4yATmmQVMjLKy}<#M2MIZ?S>s9bJTE)Ob~7nRG0%H>Dp
z3ZQZYQMp2>TwzqM2oe_<IA~#o>|dZPvVVbG<e&p`*$lKm(WwfGWCa5`SS&Gf!dXmk
z7K=d^j14q4&LGA>6UH}SY?B4WDlk$LGZUeanwqMco?n)n2+l$JaHULb%21`rP=&~u
zTrVZHNH4jl#6SY3fsvVo$AAlx&idSdNx=Z*VtE!#19bz{1<DH)+vM??mt2&CTtG25
z_AnSUb}%_H+}r79A$#UZPSB*wzU}Gf6^bGx%B|g3ak`kRoY`7vRdOJ3j@pBu3`Y(I
zlNnRm^A$Zm<|j?qG3nH+XA>ryv>4iIF*z|RuVU`CR9u&?WpdKyHoH@>(wk*DibsxH
vHN+Il?|g7yGCo*=t>@%SyV|wW>~DXbCmgq(g@^f~dx!()8JmCmqDx}|!-qnr

literal 0
HcmV?d00001

diff --git a/example/src/main/resources/certs/TEST_of_ESTEID-SK_2015.cer b/example/src/main/resources/certs/TEST_of_ESTEID-SK_2015.cer
new file mode 100644
index 0000000000000000000000000000000000000000..7749286c895084bf2d7bacb98b742a01cd684122
GIT binary patch
literal 1671
zcmb7EX;4#F6wZ5ji4YT@LXe$^l>i-*`vL)3WD$Z;z=c%<B|v!8$dWXPA__%=1T2V%
zXi<csC{T6Uf{5)@DcGo~EV9Xz3JRi9s;z*wC@Azrh3a(rqxa7}-<fmo`OcYhKA<3H
z0|hCmk_baEtf%Mna+h`d&{Tx1-i8}uS_f!kZ9ApEa*75)R1yJXqKknxnHY|c^<f?l
zwE_$cpiqsyLm8o%R4z&s$z>QO6{Uz|Nti5Ys|*EzrHLU@nPI%pFormh!Q(M}UdIaK
z<RWn@j#A}Pj1eLh%Nai2s1Yz+$f^w)YD<ztUa}+>h5^P>8p=gE=t|&>IygG=jdVG{
z0pJd2jsw?)>%s>~|DWJeK-UnAqw1^;3*qtXQQ++83{VHu5}3bcZn(faG>jMEYabfO
z-~f~h6tLCX4T4Anq5{?>;C>3MfFXkFHX*9@YOKZPhws_e%qlnO<cJk=|5Ha+Q}{Pd
zYhznxbdm9K&$W48*iADxMNUk9T<Q3OjG?m5ph&4~KjqTC^1iRz%wH<|rLom$(U@`m
zj=&pN`?Dt=pETi&pI~%fHBY6li%px(zwn1O_(fLG-ZxnuPHG-=d)~snJ+-c1El7Xx
z;@Fj*z(%HdmCJW(Mw`=Oq>xqQNRwIF&n`~1KE|CGi>^}+HLlswpy~$=6&4-s8xoQu
zPWZNaI-1?K_1m)=i%?y>INNxazUcC3=NFXg{Lh`Ad45@PS*LrIYTEetNUfHrv#Vuz
z!^?qN&#WMG!<^jJDzbBy1YKXU#6!Pztk|T2UvZ`;T2i5xe=9g>AlSFJ&0{qDxBce}
zGxzCtI8=KbySVY7swKF3L{S$NR&#0?itslb-bPA?nh!_1G3$MPD2FPu$I{g%r!&R2
z7Wd~~5Wl%Zb&m2WF~aUx^f0H!IT=uI@RRV8ox@z?+~Vy|8D@qT+J=qy&-q8w#2zEW
z2o9}C(Yo!lu)kE2_u_8K=yLn6HR<Y!3@ADL#9)tV$ge<MFqwL|K9E#L72Qwr>I5`n
zsa6&<RK(r-tJ=fvFugXUu6V-x$e*Hzdba3sY_QL>tfKJg0aY#En=1H<22%?{K4E76
z{^(l5NYEX2cK46HW>pDOFcBg^RSKAfPlPtG#D~dzIf763E`#%ql=4$-y(^>3bedFk
z*cwyfw%J$HX0C%6A_f7?lfEw4%`!hX+RE7Mx;}dwWi`;zyw`=GIRwF%l?)O!n1Kku
zM*t;LJ|IH~)L}`4Ag~-PBWvN9L|OzxhV;#HxkTp5W~Zg4v0kka+h=_!puY74eg_fX
zK?qo)$)m5ys|CpTg%39H*7z(CSFrN96F~4iumY4^Ey9}vta2Ii_J7@gsrh0B!T=WY
zWQp1f7QA2~VE5j606|D5*a=q5V*n|QHPzw8C15GyH`NK_1Y)5~0zwwTV5Q%iuzz|W
z#1%-!)-1L_oG9S&1n)=^jx>@a&`6TN$D5UaNm)Xv9QbHRTO#fNue{Q!(oxCzcXy?j
zL@X1@#nN=PP?{`b%Q2Z;fMG(RR2YYUlKi%0;F?NQKoFtDWzSej1FN!l*U`=!Cn?sn
zJBhYMN6%(Y5V8znN<+$f>|Emwh@a_k>IXiqZaCYfpj)CtH)li_+}E{7H<1W@=XS#^
zk5pEZ4tXR;>CsZo?QFTW^+PAsUsa#xxl6cvJp#_n^fag0JjuBf6Th2TRy19ex5>-q
zfckldT}3N)JvnlfKYgd2=Q$TXbg#><v~R{E-t_x+VK;ZTe_KzaNsfI+ZCugz0~^EV
zS_U2tPFIL%L+74M>X!ff?V+wV{=G&xpz=_SnV;64Ak!`EPhIYw8ESfeZIIag<Yb|1
npsl+1pr516$c_AHe8)6XZ5sGEagHA48gu0*>&l~psrr8d>b^~V

literal 0
HcmV?d00001

diff --git a/example/src/main/resources/certs/TEST_of_ESTEID2018.cer b/example/src/main/resources/certs/TEST_of_ESTEID2018.cer
new file mode 100644
index 0000000000000000000000000000000000000000..6a96fb083686e6210a1c5f14cfd0cf7780227843
GIT binary patch
literal 1408
zcmXqLVy!V~V!6A3nTe5!Nx)3vv*-7+0I%o?Zz}}*_*@OR*f_M>JkHs&FtZpW8FCwN
zvN4CUun9A{x*AFwNP;+AJVL?V3Z5<s!TC9*C7Jno#R`tWhT;aIAjw1?KEIG4S65v_
z19KB|14Cm&Sp#X11T&9Fh-+|&LVlV8P}V)a%-PY%z|g`#PMjA=S{j%Ev9YO9lsK=k
zv4MrLfuWI!g^@*+K>{`00ChPtj}Y7q!6B}mE?^fl&NdKWV+VVhiII&}yOD)KnYpoz
zfrasC_kxE9wGJgI|1P<j>6utBF!f7_Lfs2h?))#ovL01yOs^$8Hv4%@O;YUWqT3NO
zc01ipG{_6Q?x*_ZR`nF|^=l*;`K~|cT_1Pn&}An#yMmB?fjr6EuO+pba)uqLp4KBV
zbzw`_sx^`u6{oYmyS??z>|@{7i7fJYeYVWxt@OOJ^I09@Uo387HZo{p)-#X?2BNGo
zi-dt#gGfD3!Hq9Z`x(pM9naO&-1+6?pR5B0vLFR~EMhDo2U=!o9`T!R&1CXz=0mP9
z1`bWTY6CuyG(RKbe-;*C%(EE?f%w88K8FDtkYZwFFlb^t3lddeX<|GA<Qy>IU}Ixp
z=&xdA0wx1?7KZLO4nU?68@DzaBMW2mL`6m>MgwI7MK%tg04pmy6Qh`DMoCFQv6a4l
zd3m{BakgG+s=jkTumLZ!9wsDiJ;(?YSyogo8!DF_mCKCEWkKa~pmI4;xm>7RZd5K0
zDwh|P%ZJM4N978jas^SjLa1C}RIUgT7Z^BbVTJ5ppe(X~fn4OE19I66v_R3R3W{U}
z136eMF>}IMOmG&9K{<@g$jFjykZGU?;~OxxDS=`Y7^#VwiFzrix%tqTO-<EJ&o4_(
z1ZN|2xO%2GZK(QWsKSuc;*$9Mw0Pv44>YJqFS)41Kmw+bk(q_ZfD4l7`rH^94J<&;
zmuE3F&^ORspuIq|O`RBXlZ$eYOEKog9tMNP4kjl?h4}8(+C`ah8qZmUX4i_II#8o~
zb?t&zpUu`zXpvhh^-pISU-1u>%8&21R0?L9i~O!U&hV!~!#3N5J*-aOZ}+OJOim1q
zA0B_1P*dL@UEOxMjI-jUmtku<U$9S~&eeyTe7A22nBo}YDWdr?IyG{$#7F;Sdqhf=
TAAR`c_x_C=Yp1IWpYcxsAdy-{

literal 0
HcmV?d00001

diff --git a/example/src/main/resources/certs/trusted_certificates.jks b/example/src/main/resources/certs/trusted_certificates.jks
new file mode 100644
index 0000000000000000000000000000000000000000..0276f80a9d40486ac22b88b73f38cd5bf513e9ed
GIT binary patch
literal 1345
zcmezO_TO6u1_mY|W(3nbsj0f@`DMw8Mh1o!K*17~*)={4tPy&q29^vAEPo7|SbhL;
z<N{_UMkXc!gUuVJRta8ejP9Sie5SN|wE-6!hgO@%Ia?NH7K125ZUas>=1>+kVJ25s
zLums^5QmFLDA-%U(?uaTKc}=LGe56b!7<oS+&~m0naIQE7ZT*^s%vOqZeng=Xly8I
zAPkaV=HUT~y62ZUJAzzhASccXBrOeq&N4JKFpd)EH8w`#($wz8*#-h^>|k#)F|x60
zH?lA&GdH#|urM5#{(G~bFv>nZZL`3aU7TNc*EpDIJv_xd_wZYdP_s{;AF?WQUb)_T
z+y2q}+FmaSLH0S*o`#+|nIJHwbe?lr#jDed(+urw*q&5$TvKy7nIE7T9w)@JzTI@1
z&&6ZCvByiN<iFXU@p$fcyGstI7G-^T^5#{>o7IfrJ$1IZ->Nt=HwVmSU);pB$DoO6
zhk+0<*kpwn8UM3z7_b2;CPqdBK9CqcNQ?y-e{2ROAigSyuVtXY#-Yu|$jZvj%n4^P
z!C5SD7NdbINEaWA7>h`qX4rF+NfmzO5A*emwPq9^{A)7bKprHm%pzeR)_`3>6B7eS
zi2_R#<9CB5#?J;EY-}tH{Z))iz~sWt!qEN30mw9B;|98ig|T^}A|uf0$_9!sConOJ
ziDs0P6ck(O>z9|8>lJ6~rKajT2Lv1NBI{v7;?{$VK#^rd<+7o2*-^R7s9Y9QE(a=?
z6P3$_%H>Ao@}P2gQMr7mTz*up04i4yl`DkG6-MQXAaQ|#gBDiE{sqb+`xnSX4mu#0
z&A^b23l>#eM8=c^EHW9HS$GV%AW5Ll4H!#EB?xn44}(Et2a^-y<n=W|%hx7fdHbS<
z@43VLvzIt}RxYhkGJh;IH+WOsVcT5O=xtky3WUUS<lXn)(y#h<#Cds$uU%;3!$Qw9
zy)PU>fM!fRmaZ38ZS>}<PJvlT)gFy~X-BON7Yb}>Fc%JrmMb(`b3{qB=J6`cV{c0W
w0#2|9f1bD@Zq7c%U;NjCce=elexl`<`}>(IGj_5!BoukZADy|;Cn>`Q0M189!T<mO

literal 0
HcmV?d00001

diff --git a/example/src/main/resources/static/css/main.css b/example/src/main/resources/static/css/main.css
new file mode 100644
index 0000000..3de3421
--- /dev/null
+++ b/example/src/main/resources/static/css/main.css
@@ -0,0 +1,69 @@
+body {
+    font-family: "Inv Maison Neue","Maison Neue",-apple-system,BlinkMacSystemFont,"Open Sans",open-sans,sans-serif;
+}
+
+.has-advanced-upload {
+    outline: 2px dashed #92b0b3;
+    outline-offset: -10px;
+
+    -webkit-transition: outline-offset .25s ease-in-out, background-color .25s linear;
+    transition: outline-offset .25s ease-in-out, background-color .25s linear;
+}
+
+.adding-signature {
+    height: 14px;
+    color: #000000;
+    font-size: 32px;
+    font-weight: bold;
+    letter-spacing: 0;
+    line-height: 14px;
+}
+
+.welcome-line {
+    height: 40px;
+    color: #000000;
+    font-size: 14px;
+    letter-spacing: 0;
+    line-height: 20px;
+    margin-top: 1rem;
+}
+
+#webeid-logout-button {
+    height: 2.5rem;
+}
+
+#file-drop-area {
+    margin: 0 10rem;
+    padding-top: 2rem;
+    box-sizing: border-box;
+    outline: 2px dashed #92b0b3;
+    outline-offset: -10px;
+    border-radius: 3px;
+    background-color: #F5F5F5;
+}
+
+.is-dragover {
+    background-color: #b7dbde !important;
+    outline-offset: -20px !important;
+    outline-color: #ffffff !important;
+}
+
+#file-name, #file-drop-area, .welcome-line {
+    text-align: center;
+}
+
+.eu-logo-fixed {
+    display: block;
+    position: fixed;
+    background: #fff;
+    bottom: 0;
+    left: 0;
+    margin: 0;
+    padding: 5px 20px;
+    text-align: center;
+    z-index: 1000;
+}
+
+.eu-logo-fixed img {
+    height: 86px;
+}
diff --git a/example/src/main/resources/static/files/firefox/firefox-web-eid-extension-updates.json b/example/src/main/resources/static/files/firefox/firefox-web-eid-extension-updates.json
new file mode 100644
index 0000000..776d6ed
--- /dev/null
+++ b/example/src/main/resources/static/files/firefox/firefox-web-eid-extension-updates.json
@@ -0,0 +1,12 @@
+{
+  "addons": {
+    "{89bcad3c-5c95-4a6c-a5a5-64da932f6bf7}": {
+      "updates": [
+        {
+          "version": "0.9.1",
+          "update_link": "https://web-eid.eu/files/firefox/web-eid-webextension-0.9.1.xpi"
+        }
+      ]
+    }
+  }
+}
\ No newline at end of file
diff --git a/example/src/main/resources/static/files/firefox/web-eid-webextension-0.9.1.xpi b/example/src/main/resources/static/files/firefox/web-eid-webextension-0.9.1.xpi
new file mode 100644
index 0000000000000000000000000000000000000000..c52b40fd5fe649f036b7a704f8a5edd8c82c1285
GIT binary patch
literal 78545
zcmZ@<Q*b40u#9b=7#k-iwr$(k*tU6M+s<xm+Z$|bdt)2-zpuCI&b-abH&rwBRo8U4
zvK%B778u-r`F{iXzk;dBPg_eDM|TG^ppEN=zr7X#Px{UC2SQ7M;1<<S`Q){%JhI6t
z-eDOwg`ko0rY0Sfag9a;1)V!-y8gVIor02;dA+q!;R?%{<wz(k8Lj`~S)#MkCV@Wp
zHpF;#8={~9{KkI-%{Uha@cs4JWC_MiNks`5XoMVPJ_rM<LxV-LSly2hCb5jqwfDna
zTwVsJ|5}0A@vjha+hgEr2?|(o*eXQtJc4Tq*}deU#XTry&?CC}#X;e%QM~NEb!e;e
zj8d3P)@I_yN1e)c6KB;ih~T#Un_vNK9ibF;EVUy7Yf2jB>4Lx*>^kJH=iAoSIo@Hq
zcZKvKk&4R@8niEjq1Mo>y&&YS!{lzwAJhtoFy5D{cW2yF1f;YBag|pe+)XTQYAzz>
zgsdy3mk$O)`k0?!7n8V7{BHpBZa$HZFbqZU@B?Q(t<~h|b8^@Fo^m%y<^$vJ$b|#c
z&lr*K)60>_FXLI?oxas;BI4eEm)~B_Zhp?|B)Nnn$Zy9KtB^H&Sit~OBt<kdEJz(0
zygvhQaqtpg5Yel-#u5F<W<kYB*ef*Gt%kmglT?f^ZJ#L%UjdF@PJV8;4W2%3P7j9c
z?$KTn&cW1RA(*lj;l|W3FId4m5<kUh{|q4OgDHZEac9K+orK0yV}(S63=yJ{_q;Ir
z)QhKyprk<@MVD-bEQFvX&DGtEX@sJHqRCFOO{E7lE)tp}HN(OM)1J7tb~UAx*s3S<
z6mJ1u%V^|QDcu@VQerRtl$ktyyn7XxH(o)K{%kR;ir0t6k(!yfY_J10%eM7Rkb<h*
z1u?ZTl2RJp(BpVc1LhWY!4QyeaFQDk{jF&5=_Lp-q?y>6$_kHpM8e12nb>{8I>z!e
zURuiRRBZ;#G)@uy#)gNW8Mt0i#6-+tFe<{>sz&`Fo>C-ubsHzZ0HMhYlwrMtj$1{l
zbOPcZZnXB`kifsfFq0TZL}1P+nRX4k$uk`Cv9;*X%m>(5HKt)MEUgq~^l}LOjX$`u
zQIS~G8z3yr(@MHwbc`32g3wDtc;KLaMk_yOjU{nm&G=HoB3*#fpDteaaVJ|?!V(gp
zzITDm#GrzP2wiA?P2)`<jAIW%uqlvm*h#1E<o`q1D#*eMDHaFnj}KJR{n1adYfkJ&
zVjF_|N$$fK(Bj6Vw_CouApR4$*oPdSV5Vm9uKBof8ALA!ZZ&{053s%TaRj$Arwn2D
zK^C^v+$GKf;WP2had}ns^*jh}xnuPEns@Mg;L7bOq3sYpxGYkGgsApsnCi-wL5Wp>
zQmtP_MQ|?7gy9*e|8_A$whM5~7109*sT5TrZq%Mkl;a|>1dhO}VFFQc5c?5{+6bSj
zDC><F!)w@2)zBqHj1+RF^^D=>?cUU9tGs(%wzor{X6l69XqxIPVn3z*4xvL!?!Z5=
z)r^rQU7(t($au)#->#Q|yUn6<v>`W+&?)fyj>du_j>aAwMWutUg0vF|(Cs|*na2^Q
zPqdUv@L5{-)L}vlFTeLT2nDk!x+P&bGr}(B#y;j&lLSx#`Kbh9bwo3(6aLWM*v3B8
zEiXkjJ|4Go_hGR1^ry5X4r!Oxm3Uqk>G0B?zBA_thS8j}i;QaouP$)jrEl&g_kTp?
zcuSo!@MtHj|3QWR?}y26O%h8UaOsB+PocI5!W>^kE>aTUq&DZEy-|xt5zEE(YAhys
zRyLSnGGaC};|%2%X)u~rOFKtz`+ywOfQWGyUpRKtoF!?>5rOPWpU&q1^-_C`X{lZn
z&8A7?4*pEj-|>shPaj#OKoLH;IXTV7RHYj2>$i(%jlWB9p(YDQ=#2QKq90%Sw=Ak|
zaGfTpLDR==ejWO!HY*lZkDhD~&oIqgjd_(e@phk4wC9;E!u9xU^sEDMmZWP@nn-RD
zb&gQ^UPVX(jhPasH5I6jUiN{xz@$TiZgXhbM5tdffxFv>m)AzG(JPU!u^3u&Iv?q6
z0a)2!txH-9@9T==6!1Dfctu4C#dDrU*&)(_H!Z>`!L~TbI-ERs%d%K(e*<P|7J{fq
z+|eURCr{9wj5Br5_U49xnFbOnW2waF4uARgLAo@IiD4b`q6AI<g21`j9W0f97bmaT
z{h?;#OyHb)D+Z!o!t|*cY@KFhZ$th>NclaEehjTN^&3NzJ10QA#BikI`VZ{Ha7&Vm
zRq3)2oj5LJ@4Sf*5|Rbl5PWu-$6IgfU$=z0_##wgo&dTVq}$$2XB`vu?V%!M-Abom
zK&1I=y+idRROXGTz8UKjWq!!{FtgnZJnB}sk>WV@NfV~HB{XLFAF@uvqY=C9`MQ<>
z)=137=DpXyz37~bcai<^y*2j7qx%OYC|h(xdjmrcnFju+iGswyJ{~4Z2XiUeQ;aE-
zq?bm)KXMbd&B?dcD;TtIQsJuy0O~l3QVNBX#`^6mK^<#yM@4BeH@We#uo;w_OnwbE
zv-q1^{j=|ii#XzTwqMgv71A@A)YegCx#y?5(`$#%^f}xi-R+XL9B!zOgmQCiKhg5@
zh#j^I+}HApsD81Fd@yzb8za4J=#P@4`5AEES!KU|;TMCPMM?V4Y}J}fCfhWU89EMT
zt(=&o>?bZjK0BvdTP0B$=j^u@1L%DHmJ=;oQufs<M+^nT&vukOagT{q>8!t8{-(I@
z7WjRnd*m=WJq2POB;miWWa9m|=G`vbvNXSuX1pcl{u`$xCH~;tu}eUQOTg*d$Zz+H
z#}$+7qN+hngmjTNvuw_~WAh{dvb0&oKXmah0LEj~8w5=tr9FyI*>sbUO6Ohs$no(F
z)a^H!Su4*=8WGwqEGo*1Zc7MTR{Dt9n;E2vaRki{2@<EHF%M?VQ#6++=3(o=F{rLF
zT?<yl4k%vW(;+N5BDhsqduazG*wmOg#>adi6KEfU+V0MBPj9#e-+IMfg)$SQd69Gu
zdQNPJo8Bp$L+=Js)jN~*Xr*7%<kq;9aGkuu?>7cZh4xi9RUn@`*U%1oN1YO|hp#{v
zy{mx;y0fH+!2pLDcwg?-Ez^$+vd5jUj$?%+&H7y!x3C1H^m^Q3v3(RekEOP}O24F*
zlMJ7gcmApd?(_s$d;>=dYZg@Wi=b`!#{RZ-QVwDYrpW*e?Y!}BX(_qDN(g2vQfEEr
z1*L?->C^_`$m}q|f*^7>0q(6BIbg#QE+?<|ojoUou!7`XkKi-lRgyaJ07$L{@*D_`
zjZ9f1(w`aNP%HJ-iBmLSw-EY8;lNzXVf{)7AvZl{6o+y+NSe@E<!$g1SyI996%e=^
zBAX!)%#76&dKwYw-{9^+2!&ttslq_6*k}LwNZ<@vINQxysd@XtDTx!i>*T)*trJJ(
zmz)P&y2}t!sv@4^AWURw3!)pJ0<iOi5-L&Z8B{V?8mr%K1G5t*%Arl%XQkxw<ySP^
zkWh$?b21!a+G4o&3Ch9L_<Ng_OEXQ`EK7KO5<j)mHe-8Y*Cw-$pff1V-=K8Ob7wsi
zmQZN8vsvn4?b6e0j2#+m;;r;>T)EMuflS(M5ztS$dp?&6j3;AIw@=u*VKtzrr#L9?
zaCsa!xznf2-#hSnTJDCh_Z#mr=B7AHMYRJZ;B%u{<&9m;9TPP5I3=94wdgS7f8ZxD
zo+9Pl!3QV{$o=3gKuS?Fl*u9&A=qkSWyJt8FhG?BRTL=G+{Go!jJ3+*?>*o2zS!hN
zE?7L?wa>_}tBDhIGRlw_6r?=CU(s}qak0(ThvHcoCB|X~C>Q@a4Ph|k{2wp7uI1;+
z3_KiBo3W;K_r_}bNypz0LBlHw6fM^v!38ZmP;7j%9hFiH7AY2ssv(6iO`)_gR%{CK
zRfpmwTL{vTu(X>?i9`rQ+Xl1Z#;!48vu~CHZB|k3_QgedqVq2vVDMTP44QFBo3loG
zb_Z{7y~=C2T_;&M?;nL$>~RhbG4)h+SJfM<f3)X-Jw;}O9~xV!2@&P_iZlzeXAN^u
zWDIq@!(gfixDha{Wyz<#1wctoTizRiCa*>fOo^o18TM<)RHeU)X0Xt~4dPA7SZWuP
z2op#W_^4^dG~h18O8a5kY-Q{`7)}u!TfLS*L74G%MytgYD~b!VMtCuepI1M2*O3IB
z#OZ+WK4N=*@h*(yEnnE2$;+X1Mv3va(ye;N@l>E?WKYYRC-tTj=5Ksn?$EZ8>TGcR
zX-Uu@6E>vMxlECw)B!>Sjyg<A${@f6!=IAy6^?NnZn=3NWBR2w2dSV4p2}LHJr6X0
z`VyO$xe|7;!0fWvW<%<RP2$$2LtD<$SdzB7;y-65bPa|D(~+zD{XcKP$#s}dYe@-;
zior}qK`|W-Ti-uXyRqIZWTqXTo))be%)R7*wq1;VKF;})4}!wvzN4=jYQY0=e<z~{
z8(*Lw8R)O!VQ`s8GS`G8p1%=vBM$V8+r9>Lt2C-C9CYc?thF|*?O6S3)1vl}WW22>
zdPGIp6cPD5Qm_dug2R3_rFjpQ7_TQU-(RDLr#V=1yoAZCI@qKz(B07KsI&COGdCs+
zTX|`fB+SL#fXdOTs@<Z>d6Ai?wdv{M5#o?pgxdhwTsEPl>R%kC&J^GlgX3SFpWj-u
zviA02Ar5Wte)L5pe%RQ5qK@!oEjX}1J#41tsLdntMl~hXq#+KU3BO-CBi%x<=9TH{
zwS7gj1jI49j?&(21u{PM+@}D-D6&uh*qs2Bfz4n?p)t`;q81P8qknA$5<A!HdPK}*
z5V@fTTSqPxTo?03#aUi|fz#5n6wv1832r}8uak(ag7cq18}>E)eCyH*cvSsuXsSg+
zEM#Ut*{mOJo-W42z0I;qs`edVnTu+%#`R1@JT0P{PNDS8K$M0kfgugqGzH9)pkMO2
zoKlroT)BVz8j5Mtg4Ap27bA>B09uHMyaKe$0`eR~QTodmjYD4SIH^zHOS~C&jz}@{
z?&S{@%F*yJLD@eGhQSKj9>veSBrW+graR+VOctefu-pFTQD8!hCKZUlcymHu+ASLU
zLoj+sM|E-~?mv|sD|*hlhTwhWLq^QXQ(e^@v&Pj+@zUO-OEp6R2d>rqIt%MQ@M81p
zDbK(+p=(f>@kaBcG2P|LH#L&FG0<U+#FFDpsVkXBPSYn<iw(+O#F<0(YsH)R_zG2N
z-9*CO3k)J5_rqr^wk)GM<xcQtCEb75wUT?pxav~M5p?lzJPqWeRt04!ezUKYn8tCl
zuYM3HB~z-EnuIXq5sL(6^x<{R;OER%$?J$fAB3!Md|SupyDu<k>lmtEj74Q4CHh#z
zFlScQSK6pa@Sr9^lQG7Qf7e%C0F`@oYt6Fz;w7wDXqg!X$_5|j$*WXx>Dkey%7bDJ
zGFb&0TPFC~s$qUtHvE}pF$4|vGZqyTAug0y3$%q|r=rur=fjcLX~U@=5#THM@XAu)
z$b%v_56QT+e>n>k9dfp`nWm4#MOtWig2Jx6wCL-X54M9mhOym4J#4KE2a$fU?|O?I
z{SoM;I)k!6xOWcuQ#EZa1Nvt6`k-t{Ur<|QZAL#<nSQjG6!ru&N}(U#*GU4aimdHV
zel&N~BG@8PFB33kG>-|gshqf2US7Q{wx@g9N1Qo15{3LMl!N;|_j+)JEtPjh)Zt>l
z&0lYowHjw?z%yt#2BxKg5cRHJU<#C3rBa#tiJ4JC?P~exoVHQwC{EwfS~U@+n%KgY
zsAet)Q7Y2iZBq6n)BmC!)iYCEzeajg6%l{SDG+<mis<9(I1aC_$Lz|PE0MY^ni=5U
zQHPSRLKa-lsIm1YgVe${Tb`WA*?0t23C*DyL|_1>2D5Sw2kRX|6(BN(2_}JnwqMQS
z(!TSLVHk&&P7%Vtj>5eGr)X;ti)s^F&<i{Q^P-q%0AQI-ytZUa(%|KNAZu7Itxp^0
zqorc!hp+06W=*q0C^j|Qc#OQEn{oF$l>B9;J$<}FLb2O_K*Ct{mx!B3kt#-eRR4?x
zI254hj4EOCJcuqItkaGCe8MbK!oa~eJ=qvRAwhCunw~VzDHgN-OyyZq>?(UyP?_)d
zO8)$sjEq0!p8l_Eg|+pNR3Qp%QYdSfCR&K6E1a^GjdnUYC3gBOdWv~%r$9(Fiq(9?
z;Yj=#9?E;k9#X+SNve(iCUM^-_c3U~;;)P3(Gqgb@D5n^ejpSKgcjW4uv^@{Q>(o3
zbGBnT^;y6B%Y+GPuX4)&q%;$;>FIFjMvha32=`*!c4%SJ!&bp<wTdCJ<zkU))(5Rs
ztkxkO(yGl(Avb1}95%GkW(eU#KO*o);Sv&xBM1Hl)&w^|eWQb8E10m4x6YD2PNk-6
z4VWIx2u2jPkhZFgmN`=kGj{+@{8e`HtyXHg4!=jYSJ7u}^DIb9rJPE-Y%H%bXKT0H
zoS(}Kf{q)>Gl-#;l0<IOX<Kk7D_XM^$}c7HHw*Ho!}KLe6M1<Cc3hppCy+_8%tW96
zAm`Wq2j%0yaLsl%-TOi6tDONX-%S5nqvH}a%k$r!b%(X_MN75=n%ZE^rp7&YBw{VR
z7U9;JjQSBY^(hhSPttrAh?rT$JY4jcs2AEQOZ$_ZryGJaO6(5=d_Hs>SqD4%lW~ee
z!g3(8SA7-}CSzpdT8^rmSnJF#+{-=Ay{n?K2kjG`fvy@g!t$pPCoWYf)BZw=LIk_p
zKHE0p0&y8x>@$U(5MAj7__q=+Q90;0t|O%dzL3^H-`}P**DT@9Sw(I|ly&Oek{MhK
z_wg|@5_^^6bV|}Tl*oHF5#6j&qJtsQF&0%-{xt-+h;bN?%%x+s@STXu<B30B@ZJnu
zE*s+~^{myo%N5iXrf&wn8k^C}0nfp$tN59<y1531JU`+94^~;c7asl1@Ca~qg>zQ|
z5(h5W*K%N0^)%>4AtU&gzF@ge8NktTff!8jvH}^CV<tez_C&C5MjACwkocq*65UI1
z`C?O5dK$w6ZsAdRI=m#-Z#pR*c-lYU63jcANvqt?WTqi)22pd+*Rf$GaIAZSTcnse
z#KRwwr)x(P15cv!I$Ev$u@p2JQ}i7~mVK4(6E1U)B5S8IYy88R+yrqtBivaXF;REC
z!gIbP(e+;Q>LA{2@ajM1gGL;|zo{ml%M!A8LQqJmVU>aUGkA1$N!xy=`X9EfnZ+$$
zB>7@A|ML0xeg9p%u3=;6cIhr|*r1`g{$M&3*KU7UfqrOEmS%QzmDBE3>`EHTVLm9v
zR&}fe%-hv8ZK;kKu(T|1*EfcMcc$ag%Wm>|gp0Eu)zIi}DU3eZsK91Y(U?5lskg|M
zdGKYY7y1ZG%;{X@h6e=aZ^}pMo-bOeA4X^3#&Cq*1M$=;BED3j;@6N%<uXqq@fXcu
z^%con127PPkJBW_Wr%6yiimDR%mt&J$24F(QcXM=$aGGE9<I@~h^h@P4aoO|NA4#M
za6K6JF#o`!HL5(mg5$p{t<|nc@jgO^INtt+TZ(oQ;qsj1mN3_j_${=j6pFqr`na;&
z(Iw^?W96mKIX@>4!dG6E7gYlHu=GQ8dg_WZxbhPIA;<OR!uq1j^=}&mwY8l&CAtfq
z+j<a?hpP|N>a{tD5(8OCTjz7IdIddJIS0w?)|-G`4%1Xf>FgJO<J0WVB|~-3Th0k<
zRgw^e$k|~BVd_Pwd9u|?aZMZxJH@>bvUq=JB~J{;{U+D;68#E@r(<)v5)aS|{ir09
zEP{<TxG)$cIUi9XYyN~c_r<LZ;YI0SyqlhPrxi#nZ&s>)b5w%mewTd`Joi$>pU`ju
zP|-MMapLN;b;TWuF>>GA{dY4~#>1!6R5iSqyzE&<GBGqZi)C~#l!5LNCaI2F<C0P^
zwL2f;p{Byft75}B)3kjCMS;<Jx|X)@&g`M9OWV1JK~*JOzZA)VGv<k@W#@i*ezvbf
zP9D2kh49bAL3y{RBrA}OR$i3rvE;Ct3hS$!H$UJwYo|^{acYL2<5@;Yh(U7l-oGyA
zd2)C)))*3vV-`fP>Jfs?s|?VVUg=1HXH%N+TC{E^vXtPF6XprZEo|{5m6yhr=wri?
zVc3j1Kj_1IL&o7k)4Aeu-6+C^9fB_jHw`<NYuYtG&bmE-+`GZysQVH%y_2pdkrrmK
zuO`|neR`Hs?48NlB${%&PQqog7wn_JCd3gTh!*BJ?N1Sy-|^0+cR2R1HMbjgoK4l*
zI%9_}=sG&PQ3T_X%%hG{9=yt`auS*4nytXeZj#&f=So2ul&G9`swNq~NmrX(DUL^m
zcO_5M+)95GM@isr49hraM@quF`1wu0&Z@!p^HBaKLm;9>T?ly2bB%7U>7^4RTO{;O
zI=J>0_%?U9F4g5BU3mz{yLVb!lVR;>LN@^Nu2<nK)55~dH{OhZf>=cXi-z<PPn$ec
zE%V8`rt%Z=jCgpPUCwSEAt*cIhZszl7c1?uDQM)L5Vyp}Y})C@(SJI40Zeg_QcZZy
zwhzBmD#_r(W^mOpnwV=Tu$ipH=v(rj1O`hHi=4?BM5bg9vbF7)sb$rxT#Gmpv;VXS
z$+gjil_T1_7nFIa6cz(0g*fc&cc~7Gd5T6V;My$hlIcp)Tg6l(ER7xyWUaxO(~*f3
zR?5?%P{H87IJpHOu>Qf}nseFm4G`e^;%SqoLR5M<nnmbUhZz3=<4GzlDiO=%7CUMe
zQTZb^&bakyRiQ(InwshVocB7(E;}k)8p>oe_3EfoXj@6^*}j-m|8NXnAGUK}MOEs1
zUu%L~vNTjUIO@6bgE9;0>#v^eFC@oGwHgEcsc|Nfxk^VAf&A0<Z#5nZT-@n*Ecj3j
z!CSiTElsUI9wN7r`MgEY$B(JY@2|RSF-cXaG%n_n^PMRPbEndj!rrhks+af^oy%6g
zbyAAGJFH|zm3B!$jitKMYoWk$*`UQ%YZ{JJ(yPTyWC!B`$N|l4FO9JuMC^F$5S1<U
zN9#$AJ%^&Ws+JrO6g--!MRXv5P`ah2FAM_d#C_BmJR56BOA{mt`U<S!qGYE*V2fC>
zSUC=B{?N7FP(T!cM=v&!ojY7DU|eAQ;z|BiW6bxUpseqlX0zC<9C?QM`T}lDfw7qk
ziFv>Sc5qfyrMNO{YzcH{2GV6lMES6NJiQ^McE?JLwQG}#?lfru7d8I#ntOS5A&($f
zBe@kj<zaD{QOvM6gN(lxu<j?u2mKS<l#eO!n|yx+TmAOO;}>eh7|9#%eCGEo36jtC
zJMMeW&=6P8Cka!0ye*_rpnP`jFEwmryY98UTT66(^W^EtaAlRdgezG<o^hmqNFDmo
z+r?k3nxZOaCnza=9bIaC$~ENU#0%F;WLm#RW~g&V+Qucr=uEhO*p)9{-u#FM_gO?>
zCnHHw+KDV19<&@RJ6E1(cWv&+^J?$ULXNLFy!PH1+Gp)2GI9x0Pf{MY0+cNp7nrqw
zSW#B3xX)9$Pq4CK8-4Gi6*h2U>cjr#7)aqzCwOz@k<FrnXU=3b*<H|*Q-%ztx-Ubl
z*F4j%&tW`hQX9xflSi9)7yMBq@x&C{M+whR<RAtJs9{8Xu<uCxQg74O?M&k)Y)E8R
z3bIPYbYc|WBI63g$5pkk{@fjw;KMeL|ESke5O2!twkw{4x*dZYB}QP7z@la}^;C?p
z&18f~HXe3_>xpg*7IeIf7`7YD{bQ>{3~>Mxr#*0uO0i^p;+Krlac`HPNQ%P?OsnSp
z6&}?TSQ^66&!s4QlEJh~@Y(sbkjWLLwKXVrh)Y?TN|qyUVGC;~`<qqkADk3iD%6>J
z>g<mas8-7@UZSJCs9QV@30hnWGc=MZ*S+~%e=pnTZ!!(^#^Pybm38wsz+&VY`*0qS
z6VLy$h;mNI)?`}>UdS=3l!a`is^*=i9*ULn_7wOS?2h#0R#=cR)W6I4DiDR5P{ue)
zg}3^t1zXOcogN#@tKL3;ao{~gScWe1tfq8$wW%asM-SAUVetmc#cY2i{Mz4O?y~vK
z%Du63jhb9z*Ce|YxvBhUaJ_qT(Ogi?8zG^if~9epha7lHf{gm)J5)$s{eopuTZ^f!
z$#_+!$FZhW=hHYw3@Q)sHBRn%?q{DfcDnhZA=PCWm@th(XQbj5$S?NtVV6i7ZNOTZ
zr=b1a;orV7Urh%U`l?2}mBdzZeC=oyA~1ROCZ`iiQySwB_|_QXilY_nTa?oldQ^gi
z9h2%Rd@O!Hxr#|gZ~Xiweo7e5h#~Qja)cFn2)HmpLKS>S_#4r+dlZAq*>I!c=yjv^
zUF_+SO!o?Vvq}Hi`d#bk!QIVG@Swzm5+Cuou-&_f-pFAXe6pLsg#R1)t>V8|m=xc?
z-Iqy_@?;&LEuZAbI+R?n;K1H{)4@eyaM;A@YB#x?8tr2OY#x=Am;|489#FRpU$m=C
z?7lvHXc=T;sHC^Yj-1$?vq_-~j8;Cszz33*R{pgfr^leehNAZDeW9vQs01I;<m|&r
z2|c2qZgYmP?PQ2mc|ToLKC4~t);}NDlMKjb=%VPby|UIvk<&+fo{p6qBuL?YE-V}@
zcy0F7%@`vqYtDr*Edy#l4@ykF`yz2+r9!`YvAHG@7^GegAH2M}1N~N!n1Kz1`!`Oc
ziQH#Z@b||LFJoUSP#gwlhKU3$4s@POrzGz^Bw8Zr=ILTv*9HIeLTlglEp~nCFO-k*
zi*>SyxPZ7@NSoDi=o+O7xdM86fN=itWjgw#@9{Yjesk#Bc6{V>doJMnh8djUrF$7F
zV1?ibC8xah?eyV`u~U*ViMk7MG(4^=UXlABNsj=x&rT`k)XC9H05={IO8mA_?t`K)
z$=gr>1L;1-x@kRF*_`tC-6hPsVKz#9zMq9la)I)ojN~84sjzVoo6q@DDy_cQJGYc%
zz6}Q<q)2K=;W?q-A;tWl9JSZ+X^a!wlb9(u;JwJzzl&WCuUA33++QfXd1pXO+49~8
z>@(s57V#G3dJ#+dJ)^kGr%b^fpb{i5+rtv?H9i{hCo!qdXJS5^&NtVp=gy(^>1RVM
z?zeJ1;Bd_?^r|3__{_;4lZnX;W|1r@`FTk&Y08OC@7)Fq-pn6T<_Z01MEgzsEk6r+
zytsqB%4DMO5Bz`J_$@&gmOI+PMO6|-k^Il(@o-T}?$`nLc5ZGTPd{f59~vJUk7Jh-
zrcR%qwQ{FsuzQzH1B!~Qt@r409<iV0U&6TWP_AxODGxSxRa&TM-3YDx+2IZyY5hd~
zXb_AyU87fiEx~X|b1<XL1fG_wKx%v8{Di?hK`*_!h+xq?uX^D=d?~7)6c`(t$Zx0#
zLRx}E5riL=`le)kNIJzMq5utbRj7OD%&OyF{9r$}-@&YBz+2D6As5I_V;#NnPPzv&
znE2D`{@LvzumNo_Ey-K0l5pF0VA=42d<K+30NXv4M_&d$Uj?tOHKdJIkHtZrx^i-7
z%cbq3pi_1FYTG-SWhDdGS;rM+doYq2OgxVW+0;(ma^MbbY^Njc*NdHDtHvSOIbO@S
z`tcIJXAha%FSbVf%YPH&jzaG(*FYm7HAXt!@36|mT!QR0BBz=&rU8shD}S+FV|w{O
z1I;b|0lbwF4G$C9+8BOx8h{16^Pq!1>6UK7xHRE)PBLwe_kJ$#4Kt<~EU@o$^LNn%
z#f&CZ%OYC)-yZaCAq-Tj$1ek;t|m_-bDW5nK9$Fyjwc8UFCwSbEJzmrRE4j#3uiYQ
zwK7NsodKfNrhA&w^ljweSZqv&1r-m?AvqXLXi*RCM*on8PLmU4N-ek@*Si>NZhk_L
z5`JuII|clCRn+PszFlbXt<?<}7nMl3sMveWtV#ILzREsDh*pAFH~~~$06o^r>h<U9
ztnX2wU2na5jL&^Cy|z)!_1CDOSX;}LQ2$Cj11C!}g2n<IlktqKUzs9omy^OWW$)mj
z1*QosOQrhJjn(MNSwq`9&a;*ciP>+Is1WjB%2IOvx-+8d!2&x9?YDW4!dAd$(#@z=
z1aZ@&bH6t0JxA<%V~txsu9nJ91nG9DAG0zHVKopb`ocUr_J+K=(6jE1e?3de!a1tm
z$4h(eGzyFTWAC>ffYWrs!ChXxId{=3P^xSu-Es8@;`8O)JNC^*SMYzy)S4t*lrlv(
z!f&b#ji4tz)&6>762Iz_+GI!SX;%G)E&lN1Dyv?G-k*9-?V|tbY}j?hCDxpnbamIo
z%h`Tp3ws05Cc&Ewg*zw~m%6KK>_3&>E?EKx&{hFB`wr)B<Jn&*l_?rqsITdg9NIQo
zi<Hfl$8vE%Sz4IGdHe~i&H5$(f)b4_oVFdRplp2u!3)%TId#;Ja`<-E@Ag|2>T<Oj
z17{pJ)K2miEKh1ye6_@6dGY+sHGeRCx~AfTFFpDY$`1R}@uJr#Lf43%m*ft1CG_HQ
z*U<P+*G2>wmGh^VPYFjX35Fwk!2=$3^Z+F1U{$EZfC5Hdk%MJ7<gE6yOyyb4mw@DF
ztw~qVNl<K@QWU#f$M9CP9%jqmq3SSC!Gm>^b~beTwL2$4YW(ZU=b}DD-O97=LUcM8
zg7uTgj~+YdB){X>mB{Ttqwd%DdZAV5K%dtWEk(0DMYDUthX%r*zI{x9(76zbEF;7a
zuEZjtF9P94<=QxH?<*Otl?g@hwEXIwn8M0G4n!%AX5140a5e`|ab}Loelsx$727lm
zeZE(rc)jkIy__f!-P|2b-ZQFMSxU)U&Ej`|N5yS_Th~3xAE7vBpd%B;_%wTQ??WvY
zbYUH7M6BCqniF~d%S^>*p6tJV>K9g#1eJW!rt<HkoAVYfsge<R0@ot3OgX9C%7JL!
zkzSl>Z6cpRg;UHWuFn|EOeVocQ7yIPiY$h9lU8<W7A#UxWLdJp3=q?~P#?d*Ssu-%
zc<7-n^ETZ<e`0Pmc!egO=n(S^6EA@P9%L_Rx3Dj5QVYdakH-~bI3YeEaH}Pto2^#7
z`Z+?;D<?yYZRv54RyxI0+tS?cWuVpPMnTRWI1E`3qvcPt6HCb(+e8I2bI`ShU-xGP
znlK8_d}U?DWAHAD*W+~|SH<p9j22UWjL=o@+rkye7jpMEGg1`=3U$C^0^j$>+h@#W
z-}lV|z2DQ<#a|{Pvb(3ZUC-2y%cY&~;BV&BPe=MNmo5QnE>N+bZ?kgG>COzTY4uTR
zS4@R4H>m~O1;10HDEx8-@H|p(^|)PJ;$H>sNv&d3#+Pxr|2%Z~Luz0zzY^nAun*@T
z10rQL#vZ;srPot`g~JMS3ig2>PP>+bMdAHfj!Z4zCV0U)v{;;!0ay0oBjfX<#!(Yb
z5}?;jHJ-c+qi=DAm&n5O>x^}*g_Nd|K5Jx{o{E|ROep$$Q&h1WRGtOIGS?^1Y>76;
z&l0!+G#lIEc3%W7SGFJ;x(n0WUWV+P4{;Yq2oG#azx{&NYpkAeyp+ELQ;ilAP%f@W
zie08t_gjEAps(Wt%Kk^52EL*Hf;=vEYwOq1IRf$QbpN(?-r?+~$J1I;7vc*MX=51j
z;v}F)&u+7n(7{16hdOZ<Qa#}<xz9y%zNBg1xGNDz+X5$c<5OV(el0bgA*nh})tu~^
zRK)G#%h04S{pd8oSGCM0R2%!(Q#_voEfu<tYbHtS1X$E7lNc~8ypqpbiPP9lH7ivR
zy0v^ydB5e)9W<E+(g%p3Z$lIG15~R>FQe0$_zH`Us^DC8cFS1!l~B#sYHEGHc~zd$
zjGi>KmyNB#t}nBq^8wywoE$Lvj@{f96dws3GhgpY1Amv-<_6{lZVElUZiIOCpTm)K
zA9wl;Q8S%8+(|Fx;3vGjg_!XRw1BCP&fdPvH+vt3gSUo#ngeYC8h~Je?%zXBTVTky
zIz%z@!1Om8WuP%D@-*zuBj}U2`bQnF2CmHT&LV`_&03`#C1f))_AUk98H6Ml0dqBM
z1H1rHpjm?OnI?8_>s?T1a0Mn4ETXYN$PSMD%5!q}AM%b*i|unh{&ML16kus`%P(u4
zx}Rcs=H<o)u?`(P5m$LbXFxvSQ48FK!Wf3U)-`nLbM#7K+h644xqVSCjC459Mk2rL
z8|E>!1^V1extuUsY%>Y<d=yO6vM#%1A}E(FQVat&q5}h?W>Wx#vg%b+BPMvNgN+mf
zdr^Z*ObxTIhOPC_s~vY>zk1*bmF#g@FhW)JnRgy=N(LkS>b#NVR<mqsfqT_QVN5^w
z{s^&hM?ZxemZ{%pnxrcrzX2I=K*m_RRr3VR-lcz4*ijRWF+s(&3+el!H1u}-tvyVg
zrUk1X%ezbNDsp`hl+Qm%-(0M~Z+4$ES$cxRtav<?`>-;DNy$~LI3Plqjl*6X9{3rG
zFJUlE#CM{>9}wUW^a#6U+E<(GVV|=?ybf4}yo^aQ7cu96s*KH62DsaI0^0nR)dkg7
zMxqCz(k;}SJ9TIUEb?w<!sKITGnEeyEp6>7FT%^75}<OEi>E(+id)D~U257#j1#0o
z6>!h#vv58WXCx8gw)^R)*Gs$Tr^lAy<63R@a7@56pz6pp3eqpS@))LD!kt)egl%D|
zLN1%dnHO{m)=xMfxW-mmHs#7bs@*I60Yb6>ghIjmGQHaanukDnhoc<!>AO(Lqkb<?
z2v+_$O;K@!zOXj(6l+(4wLIO!>dqv2+KlTjcLNOe9O~v*3zf^8V+_sg|74$amRF;#
zj|Ag#Z{dEP_^8+-<x)e#j&Gh+4RwI%q51aa<BC>QcbB0Fu=+^5>Mb&2HC47u=-_vm
z`aPLTF6)ovaVdl4XlNIF-EzoMO9=hmy(MxyZKN2U+@=<WxoXSf$9$u_3NS}Q{az+U
zF?noO5^J{UMpR$%&1gMYNuYJ?@+yNtyDkPIBpS3%18G0T2Ow@Wr}WR=3Jr%}9_zI{
z?Upo$BPzS7hU+5zYPwW<VfH&ZtB#UxUG<~zHL|wpo8bl!+6E1F=U9IA>aQ;HCwe+%
z!0p>?lO9OG&;77}aY*fxyq-05ZCZz^NACIp-2?X$E9*>bv>rFbjD&=hD#UkGd%EKV
zQGz8AmXu%Z4~-B+zjd)ZwEHIfYwK_ka#8ps9CLlAd5zU?)yXckd2&vp;4#rBSY6m8
z(l-WB>$P&jcg8nkr5I(l<62HI<hU}^<1nQZZ<)`g_*q%X*8J5dwNN6G0CSSNjv-1+
zTzhJ22QaMe37~Fk&Eve6rzV_9Pd1M%<E3~WSv3FTisM`sqvBvq&ngc3#W$5u8+|eC
z+J>wK9I-B^`PL8C<?efa2kMJ&3jAOFJHA&&aftjPZi<KuuG|5<o_mn)X@-RH+ln@8
zj^rQ%x46^dEst#(!vur?ALngzwU;y0z*N6Wzxle7G?*TOcrQ*36KTul3+X18rP|EJ
zOZSZbWME+hl){+c02@!DK!`Odc3urjXC<^WLaKX+-^esgzMO3Zht6;)h*QNm^tqy4
zyJ{f|dR(nFnwGE6T$B^FVFvi=eAhn!GW_5?_<RcWD8hV8uA6hMHp1&2olcCj^H^x*
zYL2JrelAO&r;2DK+!Dx#wSwP%iJtwI!h6#jU%xsRDfXbVG^pFA%a^E)86MLGH_|zM
zMUo8-A!jTH)@W6bR56t)*HD7GDAPOtV(1UK8C)^GU&K3PqZF35M0?Apwh5*>jF$eA
zO{wEAhBK`Bi3GuC_$F_0?<GNG$Gbk;YsY^F?@%sb?TQ3ves^g};f0Y?aNGf_k<Dk7
zpy#kIaa}FZm{J~9x2E8o@3H_~KOmX7f}b_2upNywY*Sk|<*CXutDu*h!gG8L=JxGv
zc~==vfkDQNNe;V+$C5BUV6Q|co1@o7ptOQH*2jw~(4{C@n(_A?f9>Mo4qHaNk=^()
z9g)awm}^aBX7khD8t*w5hMD|TwB68WOdI#>5EfWacdfcsI7Tzu(b59_g|PlR28Zvq
ztS8OI#G|B<aO>_#(++7ThN!=j0iDMjS-)YPlS?XnTmx3QwDvW_y46h4;r<(K>n<Lt
zB||0XEEhvz`|}@jeCG_%n*POy*E~I`YEch%WLPWC?ErTzZdhxrVc2(WX%Q~TFUhCw
zmF)v73gurxQq{walqjQfJ&V2k3p|+(_pLeBF$=|NHJ9*#bf)DiD6_)b>;prA!Ysc$
ziB)L`lvQDUIJLkWa@-;3uiX<!I@(1XZ|+R*{!4?o=DYUFTmhF57cbqMVLfn&b;6)L
zUC;-u^U`9{Q3>roq}3@DZXR_5B@@n0E#FIoFsatdQbNbZPh=cV<EE733AUgn|73>;
zj2Jujy~8*(Uh4m}z^sMZ5#^wV7AeLYoG#AwXLxC@ab+v7&8qf1OSY`s$Ow4S^}b=6
z!+&{l-M4omPz&;qKBgY#u|x2C=kaSn&|}K>XKdAp_9f>L?m`bvRBP5p&B*fuBSZWr
zYf{}}Bx7xOah0wyrRzX8?tm2yF}QV=&$i(ay!G|lvqvwlz5_}$3EBF&$2ekrFIz#n
zwziQwB{V%*!>5(&y!kCmJtf!i(iYOSQgL+T*i;o=JUWox50ivnCMrL^<aw*)_Ht6g
zJ9>cAYlnnW(F(QT-aS%)lJzjNusaRU9w_kD62ZGK4S-Bz$D6Q&aRx>V_S{o)AkA)y
ztW1G3$~#fPEbCqmGN1lwi{mf4C%z78<>@iC)e_Y|{mDRo=7_kU1vV!b7ml7ee9p&V
z15j#bdQz@if7HQzXq1+M?ktiLeiMOE96m8#_%~ZxL^%;EkA8{#y0%A(-4sZP$wN<3
zmQ<odA_f|1m5G+H{7;y+`<QYtz&vr#M+AUv*61OS6qG5Jpy)+G<?ocnGLzpx%3(>|
z$ICRgnmK<cLO?GF#8~4C;s<A_?6$2FJSzw0Ai%e5>YRIY-L+SaRplK<fV^}~r;;fc
z`fRqXfx@-feM`h9t^j}Pwdm_X0y`juRv><#X0v<%e}ebCze%3^&jF4C!CTbS7yfx!
z32et<<hT49G;4VO|42Lw>p)e(BIYD9147x)RiD(`!`pJ3-TH|UIF?66nryLXm=P#k
zFH`#~Pl$qj-0M$BqE;#QzsZ$C4NaIW6=hlv0cjg4R5zGENw_NK5`?M;cU(8FM#R5k
zuX6t8pn7aWv2c2>6PDZtl>eoY{Diu-uNa8C^vRnjrDT%oj-)Iwt0|-UTxoF_Ih00H
zR*N;oo8QuJvBp?!^4%#t<Gt48+I}m9jLs}>p0uu!gqjiz_XSK6t;#i6Pfb>5|AjxI
z!3{<9mQbn7Mbo|c7h7iHXS2q;F{Qp9aTHd+-0>$D1{nmdn#6;iVClwkVussJDb%v4
z2Vdn*d^d&FXss>MZA&8<>20_xqb=5_sNT6DEC1NB|Izj%1@mI@VzZiME#rj;UgeYN
z{KCs`O=rfjp-@}OjlWDSm6d+^F*Y?>hJeu`sWRob-l9;-#LAbtNW<)hDh<}c$RUE%
z!d|<!X$`Bp2x$(d>Qh4PDeb!Yk{<Z;Lv*hSOI^v9YqC9}$?CcSTdM8|CS^8}9=%+~
zVEz7sj6EE@^eWUw<@oeqA-(i+lFT_=f>aA1xr5Hinbq(1^<$9jI#*TB<3(KdidGJO
zYb857IiaS!ly{aX@}Q(gBy0trdy%=?J+*ku?S25JTa=5U_ttmkdIzA%0x%m^O_cOQ
zv5#jf|Dof$V$+t&LHq84z2To^mC;q%1KH)W9;AK$@wcYf0jg3fKAp~qNL67n>erf<
z5H*OtX_Duu=!dUA+c@#8Wre%$LHW_Rljk?_Xt^d;j&8Q1PCe{8Lj1(ZQ4N)0o9LfU
z?68rlB#i0H43o93!i#yzmQ;=He!WKnX@w#D08oeXDnUN7s>?rOS8;Pf7pd*9yyO83
zI+<*KCsx`A5?5Xs4^+&pGE@u7gv;!E%HyEwK^`=^#G;2@X*^7a`NPgV6Brj(w_(57
zHnVBmE<_W<(rK%kBg7lF!=B5&^E@JyB?VYmsiCi5fm<@jEM>1bduwt`U+2|AcvP-e
zuTYre&B4kpdZT3`rX8c7xvY5K;c%1{Qjot00av0{+_{Bx-k9d+{~4A%FKcR6{(5+P
zkr<a21Kz++Tt&tfhI-JaYN=Ayxv#&bI@!1bpS~f%z`nng<zV3)N5|GhIKaT_$-%*t
z|6lJF`v3J_0qsqkF8qBx*QFa@wEpdJS>pUP2Bl1!nHpRh20QP|nEJ-Ct!;5rqtC*u
ziJJZhzBK#T3aqHwL6r$2yS*^@4i?!mFfh<Cs0%oivyWe3kl$awN|C%Ik9D$dTSkS^
zDq+tW89FxCv|Vg8OGk0i-0(ND<<y(DpjV7|IrssXA<u28btc(4<fc+?t&nl^MVC~u
z#k26PDxg{cD2}Kh%zz&R);R|fL=NG+_YsAEvP(ParI>+As*h0bn4>Zr1*P|6oSOak
za?541TRIPor~&(FWVxj>`AEs9%riH}>83&Ltj%oz#lM5_iWaY*V2@6`Mwpcc?1bUB
zIm|gwuf~2t+C;g>dlKAmE}H<@TR7Bfc%~><zm&Sj7X#p-<AE`8n96Lz6?~HHBYb?M
z34bR^WeF+j$qVUts1;GrGN(A5RmBSi>fO6bigX|~2$nng3h|8V_ro$pi>1o4%sw6@
z*M_xA_yGrme!`6n>CWEnS-@`PVXZ_UvnJu_Jt@NV#B$rMMy`IH?57T~BmjD8$Qn<4
z&vL52(&GmKEG_Z;`a@K6Mh#NMy;IOD|6RobvA?SRJ<-*Ij;cBvn5kurae9JtZm17K
zb!vD?d%aWGy&>@-8-e52VIUeO3A<G;=7LdQ<_H+<l9b9kYB5YF9E^AJwnGuq35)0+
z^zV~4wOsu|vR=5Ku}@D=v)*xSe04=60mc&3#;j)3Xuj$~bvy=9_qvchLUk%nc`JhB
z4g&KZD0?(RHYYC@*`?kQy`kHdEYL#ybx|mQAl~p_1122DBGFV6XqUIJpwKM|qpQ;r
zzP}-@Bg85Y99iF?PjJ;#kix!v3D>RMgUwHC+-|$EU$r>b<jX&X=E9p;u`Y`J2rZC*
z@Qg~zN-eyh^U%h%&V8udpBz&($8G;$Ss#OZc!Br%usY#c_wIf_yuDhWJ{?>3o(i)2
zmOewi1tJ`f#ou4@pIUBUdSOH+MFN}bH8J*h;yvbmT9pK4My42~?h%@Mw?5;UulOdQ
z&!`0SJWrMww2&k9!HPzKq#{s~-9iSD%$o#RfHX?Vf}=EJ|9*%~K!13p_@R{02vau&
zV4(zY2o<mFfsFwi3cWD}90YBOhY+y}MOb^VrxguL&Pm0blPUJc%1r{(56C)E?pc)6
zMaZvQAV2A|ibT*#N(*33Vw3SoNTm+=3$9vqF{4G;WTa}isO$6+auReE@NmhiCz;82
zVPCzcOT;t|wWSkAj)lI2$C%HK;ZAl<lc~mV-IvV}#X~i+?p(;eLVwJ-EP8wUe3ZX8
ztO%@szm#vBzcO`_@O_=H*!SI^9n9U1EjU~szErLpg@cTpIY+HRni%j*#7hCl#Xp9`
z7RPX9qE&)aa}`p!hlKmFP@TBPhNzH~JdphnUf#D-797Te`1l3iUS@;@c=>(6{qy$y
z(nn4BMZtMxQe>pdy<rHm%U>WWX!m5C<g^R+yx@A2O7z^4s4&I3G5U%sTZg&!hs&JN
zifE=>2oIWrArO*<xv|Gn)@H|OMpDe;BeBRAv-d?J&IDqEht?dbIDQo8$vdyBX9>u|
z=)_DIO_HFrMSb~4z7NJs>3&U^(C3YKbE}|j^457*E{R^x8}m~Br0#jLoWsVRVHPuO
zjbK3lwcBIDZHT82`=PR770TdI(^C3Yg(q7RD-QkzPc`~M%L}LGm$b>Q!W0XO_gKD%
zR*~|fcd*SW)0plHw~3}xVu5s;c|cs4K)DNyjWO{vc}_g&P9oEShdi^0`CBdm2K;s%
zp9U036N)lKIL;tE>J_hsg><JQ{1(eXj4|`nV1+n@T1?Ynq1sO?QWbtnnvHy`ER6J1
zP#WuilrlM~^pt$0U51(<W9*zg^Nl(Zur4M_Kfe>0^47N`Dm7-gWq>6=#KnyoAwmpR
z)WiS?6H%O_^kUg}a>tM#x`el#?Vf^r9fG4b4kdiFG+{42JlhGugN2;=j0r=^`rxf=
zV98%;XJz$O>;GEk6AY=%{vac&iS9Gq0f{0MljfP7v=}_H(Bg@6OV^x~nqiCv@P=?E
z;A@&V4Iz3iHg-iob}QL^3ix=bFAu?;JVO{pf5DxcOBjABck$LerX1Q}lxivBlyQ$c
zV`K0=0}dsFJx5L0<(<3d6cum5#&U?H9G8XUZY=-}(y(%%oH_6YZ;e@!43R*6n7s8x
zx|gby$U&np(W>X9JyN1rF4#a$A|P`{#%}P32@Td6^BaS3Q|ce)sgMBmD4CA4W(1}X
z8gld#9hX$MRZmqmCCm0$2JQgi@!0>gxDgbaI7P11QOU9t9i7TID1UFJEjU(XSo0LP
z)`xU5weFoCiIZvLaq)-Gcv&}~o>!=H*4D+%^Js`r2zf1N?dW*5K_^Cz-L{E$OLIv=
zg!n?SQtu+f+U<-sc^UQm$haSh%y?QJjh!_0iphs`!)xVTYf7~TH1H7w*Qca1)QYt=
z9R(RC>D2!&%e%bukU}amsI8gT+i7y4bUgA(b57=D*a^aKEjm*7_)!m3j<nO69quA)
z8DJ*NFosbY{YNrAg>jvCcD;@Vf3k$P@V3x?JfbX}?pJxgheE`)zwQQrzir_PYCMY<
zsh@u=dAC?QPcHufk&EE%d*}a1lEWC}&KWfQ>|!RST2VB+;dg3if>2U3BN`cIiDG`X
z{csbfGlWu!c<l5v|B(yB;(>&mb~KK(SddzBMdwlM;A2j89R5N3Ks#d#xeC!BNyaih
z_P(u;%8lHJtXPCTgE|Pe!?#ZJ_)`Yt&2;+gbjj#lV4s{j^@?;&@F(>-X_|^4tnZ(n
z0Vi-a6;aH{0RIrxAQF_ufY@-aoB67es((OcV(Z8}ig|$w!|iH2-GZk$cVxmZE$N&|
zZF}7S!Z-*CI_}0niga91I8!Cu^J|)+xZGz4aRDUe6gg#oqt65)HZj*>ftI?oyKrbQ
z+MP~tEm?_9yb}9R_UG(MSeR}jVIldk4K(K6;BV;(@6pD*GrKHwu%`A0UWl&VoBaIH
zwzM>Wp!gxfyp@20y@%EeCNzf{@JJanSPFh;Ms7h6$QHhK<Hnb}b5$P}Fw<4Ps`f7e
zh>k<xKef+1b4MC|C6GEYOs2Sc{KOn}3Fz1*j#)A{MSh2rop{AIyMn4nVWtqAw&kyj
z57xXsuQE3)AArLJ_I^<_jKmG?2^8stBl?cEDt36vYo~STK=v*3Y;!Ps`k(Um<5|;T
zMXQlfI}?Y+7njuoOD4+QkIS3VXutd;n%sF=C2~y(%!%|v?9u(uzs$hLeB50y!U>^Y
zC6X0U4r0t)i73?wNt6auRxdz!kUJqg=dmn#LOK8Fhi(%uU24xt)s6Gj-9`UyGpsIQ
zNNz6IId&kvK0UZ=NZDpW0f37d6uH+wxs}z!$1w7%8Nb}V&D=JE?Z0!*=|*(&OVg(G
zibF-SajJz2R*KDb^^a+u7U}Eha~P=Ll}$kH`qX@gZu7m<&K`Ju?iNWan+8P^zcU#p
zpAHPAx{RpJA>@AgKgYhH?*3exZQAg<*|BcizWVxE9`#XFwZ(thHML5bdEA8cjbmXV
zG-xTZL#rL58>D*Q6X7Q<G2@qIca4!gbwND^Bho3N$DgY}!R@BMG;-EF$mR7v0D?e$
zzc9;jZ;*!5`$ZE~DXMz`ukwyMvou}cc**K6^a$twPLj#JI;a{1>7cicEoK#Yq0u-B
zN8?Ijt<I1z&TyJ{dcAvfQ7TZ2MAxea7_eAT1%7q<q<E2S9;++Z%_kpVm+vO|yF|!Z
z%I1oYb)iXppHVC|saNl4v9$RT@Z}G~dq}3eFkf{i;}ZI}2!U(dKMLmIC@4<d`%!d|
z29xT5eDxVH!Z~!Y#vV!rd|Hs~JFks{co^ZdjmN<}Oj34tQx#V0U<2$?bcw-Y-ref<
zYXLD^Le6dA_e~2|A-@h+rK*qDL6#pRgV}~NMVqxUi|Mo_jJzVt{Og^^?<1fWfUui8
zuJCPES5E71H6t94@-f^9@@Pv%C?BWEHHz^yg3FKU=QaD*fib(%q>phdE=xdRjLd8L
z&TIT08wJPKk3Wj;endWchl8s(!4ze){vZmn3|)`I!5Gnbm(hD3U@tZb&^(A{7%pE3
z;#+iuZ&~GGf-?muK@Q)9S&pv9I7R{N55vO->dy$)<6w?6gl~dD9^IlKgDXDLVHgML
zEk{RzmgHlcUWb{y{s5^X_}^)e1{3s!-(7LXP(RG^M5)I9e0j$OMV;ReLhq&^R7}z#
zPEnpPIB++EHgFrNP6;{whJA$w+%&-m(nM$Sq6Z00V92gr$>462FwamD6N06q*#yT7
zIO)2N!+6Bd9V%3UTX*<R%G`Z?5zL~TGadF84l^MHiX_4v6X|S_Cuv<$w1L7LPcpQJ
z#631!`h?16Q=HbJmXtmOq8(;U2?^~fjPkU}B!7%>UcbV(Mi*pieFxyiK?dbp=A?$w
zjJ9r=UDGC>F`Lz&DO_1Y$I|3TxRETFSoG4H43;nn!h~0&aE@b?(0h(TD);mUTmllH
zPx%<fpU?#7<AmL@G6-S?DwzuOhMqn~L6*%X{BjjCsbDVgD|X6f%a3<Vrq6_Q=LyPj
zmN(VfDI3L?ev(8ui0{yuG9KEFUgZOud<ta`?kfqiGgc4nv9{{HEQ0E^=!YNp9a*d@
z+@3_~MQ<Qei<<-m>z*>H{X939I*OL#V+{-y(V$w4UtR+WBgI(~%`r++l){~eI*%Bq
zr|hz$evsiIBAPq7W-5R}+ja728y#L4oqigO(`161Z1uDm1sT1r?-SyS+bBSB5^u+|
zC}L98&{PY(Zb{s}l(MTF`Ta9N&IoBBLN%Cj9}!cO(2VPFxGPIjOR^^o2}U<|!;ZVp
zW3KN_NLuS4MnReew|x9?y%ZU`c6$zV%CY}TCXmd^X9uO<9q(I%27kVoxk~p0TR?FJ
zw4yR~Nv~=YNYI;>Y=~29);cU3ufzypLphTK`%9)G!(l86pP^mdgE>A|2b`STjj^GM
zdyIm9GRuLI*J&`F;vrLp%)AoUhuJxLXA;{i;_5Ywb3DSS?6x@xZcdp9flKEc+$6XO
zC$kBPXOliofm>W?7!s3!m|Qdshz)0VMcJ@8Y69Q>tv0S8yNw4fvN`py;E@~Y5sq;R
zy@+ldkR3XC5?qP1PG}F+8EYGYXj^U_U2is<19?U&GpkV}tzE)pD=*7x>+)CGT({uz
z{z$=a>ns=g;}4{w%^mUo*+V<Tq?EM$Zf}pCU@O5IWUH=r@cz*UCz?xuupAZfRWolo
zU#HP5g^N#pA-sD;qzOR6D)E&J{O{<z#)bU6hIW;onPNl>Oed4*R9Xq}lf}g4_nT3h
z7zYy!s!@=-R1;@;8pfkLXyz7u0LX4=({x3cF~^wAxV32})=MRDhXP`Ord#oZah2kk
zW%&Y{N6dU;zEyL5fv-tqGY(>U1)rm*h8rYjF?D_dVvmCu;hO=T7AbwF`rW+REgbxW
zc+KB(?0<ICQ)gZ!YBrlcZrO%Nw?n2<C^tiJaU;R%fa{PwR3|gL(hv!y6R6GK(cbHM
zkd81#IRGnVnW#Xu0@h4*#Fct}=2Q2Ep0Y+kjv^dnIr{#K3FQub|HW3wb*r;G(460Y
zAp^gwZ#B>;A>b4g?>?1=t>%FKW=+231~f^G@lYU@<6(W>dpwNC1UnYh*6YkfHkj{e
zJ03{)0bF~FEh@l0n{YL;e{#qbJUE*)y&B!3IFa)ziBSgvGMdr~bB<{s!j(kaS=w-P
z1z9zE$*8#e6!c4;!Zo<0Cwj3e<OQTt7p7TG69eqpRm8{V=p|1e6-BfKk52?77Q)lq
z6m)kHgpm>#u|I;4MJ$Bq#ClIS`=QQeS3~nA>yB0;0JLaA%d|*Z{M{)^Ko=J%MS~z8
zj8T2icRQ7cX_+L#&FdhI>z|lJs=OX1IE(+1qYUE-+(SH@!nMd6%|N^39H$NR3H`+O
ztrN;ZslhhlElAE0pQ?d4iq;_91l@uggz27Mz(hfqQ=~!VD4?ju_$G&1q~DAR2oV7)
zR(7wg7Mjr;fzd2xV^)KRAigDbv#C!@`d2!`5ObCtBNgppwRWD)T$Q;)?BKipz~%nO
zWfR^_aI;oX|86&a)p=1oE8KIUY)0tYwzQ;WWjc(Q&5U|CVU`ogX41y|YdSifUJ{Z=
zg)L8r=m)9lkPt^GC61DGLTDIZxd-4rSdoOtfGaRrE}UvEJ?oUfJ8XgoeWI9t5~$L<
zmnjxF7>rSJp@4+jorSBVc~=r9CB<TiBig-Ef&HDS05xjLIcy|8`Z!AB5g~7R?uJ%(
zcj=5+sJ#m_q5+2d_H>RD<@ZUN+&Gpyc+#4OSt28o0B|KpDo2^I+l{j&3$i=0R5Oi&
z0j5`%55p9)>hV0GCo>&rUpVMn<^2K){)Z#+H%I=(r)1((Auf-UbDqj)$j9^K3TO5_
zu%R-Rg)s;_47A#XenT7WA>sIn{%Jo2PBe3{Zf@(mzNVyt=`^}!Am6YGB#1ihUpA1#
zuNH7wuaGIKix#F+UhDxX>Pt;=L^vnT+3|IJk|tA}=C^1Man~O@Yxcu<ST|ps(9|1k
zRcS%KQWMivm780^MyA#1!ofAvAK(<;8$l_kMtCCqFWLTyQ6~EY5I%8j&K1^z`ROt>
zV`vvTH5UW>o@0mh(3iUp4v`nM$y1Eg9Jo1aGnfzA6c556LW3Z~SrhrLHB>Rrrzy^G
z3}lB$UG2#|`<+3soIr%^SunvUVyb~ZG^_-40fxwx^5-LC{3V8t&1X=aL!1rLuun1j
z^1m6z%8a~QknR)ZI{)S9E?Ul*=?Z3fG70i<054(Sak&kW#Z}u>NZss%(0ZIEaWbRa
zQx=3AdbWtPN)A6jgCwP|7#V8lv-Ld-W+@xx?BPN}U%bFmKY;^DjXvAOd5eb0TpN_+
zwwA)UbMxG=EOfxCU1_;AJ5^<>X4mGZ^atUmspg5o90Y?gM&fNU)MnS?Srn-Xn5tIT
z1(xYAl|Y1X^(jI6jG-`1lWCFaCuP7Os)qjfLp%XQbe-SO<BJi_?T#AU8MGrj;`D3K
z9qv9u3yR;9${%dM*@pUET_1<N(Lg{J`yr~}5)!i|Z5}Rgd~5_9OW<;OyCjW4UmU}n
z_m~BEL!3spWV%tIYa%!(O8U9R;yo=xD@=rZ#Vr-MFdkVc0tHVllypRkAPnH&VMO;Y
za7(dGEQOql;8KN|<+6!CPEV<F#XM0-+%OPyWfMdgsXGgG8E}Kx7Y#*FpJgOD6TrQ{
zX5$o-^&&}|Y$Zim6jtH!7bdB+2y+Jsh*<GTd$u;J(>cU@E*k&xq%5Ri1$|7y43qdT
zIl79IYm}sDK+G#Fxir~U8qLb95RCw>f%?fT7U7#M^~FP`n-RcuWYc|#tV6|S75e<U
zy*&gwG=BKO5-={BT(AD|2dWUkiuoUFp`|v(QI<@wn9(9;8Sq!P*ie%TDX1u$^|yHt
zsL7>V?F*&^$224j0IUP1y#&bqR2ii9st%9L`CBE=i_GTp+K=b80#cGl0Cts3X}b_-
z#1{Mri;me;i^*0;9WW@u-H8^TEeb<b4J{QW!~52igU%9kIm;kmy$;eLjFaw6Tzu{@
zXM$QjL0mAh+-keCu@~WJmInO@(@Q=anJ*mACRndxS0bK*QxglbY*<*cmg#!XzYH_3
z6~I=3a=qaKZo|HFr5NR|w<_O3abF7hEre!{G;=#yOjz&bYgJ=ekv=VLYSM%=+Dssu
z12%-zF?QnS7x}ZN_#&zjb!cCKLxl4Z9IAWQ+AF=6Wl>-m;RL4;Fs8vk&+j4s<dCLM
z*=Yy_Xz?(B?m9>vHdwX2RPE_$VpwA0d;Ew+8sb3|q<Dx@91OSVX6AUP0gRJ)TU8HD
zbij34ii3>AW7nAP%r^GVn#hT~54@N(Ph?OU##xR7NNdkvX-t&RG-7ny)F6p1iO_iv
z$BDAyH<)F4GEvii@XA3lbPWjcXxtRAM%_T!Y%nH~C*SzVFZ%wZA*R7+JM$#xAkR3-
za5TqkDJaXyCtvZgvgH~$g+>r$E3*1YUvv@~k$9*YN_8cG032d?*(Z)kTs{v29S4d+
zrmZv)msaW43SMm|&B|wLGmO(^t8yVkZf?qGHoPD)5+gi^cQyiE4Uyp>{irEGVVRQ)
z@y1dG79(YniI=j{{1RP>a3_y^ME9r()RaU#!3|b9tiBrZKnG;1)E!TgVA@2zSwF+S
z&&Z&}vd*VqIDE|@eQKaj;~-OhCMo*F-UPxQDnL`5ry-sj631|sa)g3B$CGIe{ZVKd
zZqpRc!(^64x7)#Rh=+1y*GYOsW(sEe7Rpm?`uT_dkz|n>evX`e3Wfdo<_QXIEd(Z+
za%@C(g0G7*{dBh+%?n%nqT9fe7+WVx*p_u5t_@UO!y~N$Oqc_dswEGWj+A8us|{Tc
z{XK<VXzy=GUEfsXMg)=ag}v@gIka9=Z7Mr}vltx0mU9U~H@S+aS{N7|YYt;mZCKQQ
zaku(>sOp(@X*61>SJ~+u-7WA6<0&FWUTpCg;%SOm#`HR%FJc}C89hE0C8LqLc`1np
zbhV#@B|4Z^>M1W)-j^`nF_7khKa~^lKIC^YT}iaFK8wWQjJ%~1SBo0omFJWg7kPD^
zR{X1~?3EQC@kVTW8ge}q=CB73UQ^9qk)4SZ9t~)iXPP(OKxshy2)YRo-VU6L_hM%_
z&chgUM~a^Op_@wr4XW7j&d+ApxXObpCww<|PLC$gmtretG6+OiYytg{E5|Kx2)MGH
z37I_UqHPh<$*3GIVwBX1*`NCAap;?E41jZfh!B>!9D{KX$2e*_``~LPgcFKZRr=Y-
zc@RdKvT>Kzm79eD2RC@J>G8*{JMER?uAY3kVa7f&#FrpYkoLno4N~<4AAy{?Kq`(i
zESGTR8Q5Cqvz!E1j%-n-qL@z#fv5l}Es8OVg4|8r+Ym=X6)|)`roZd7rfEU!y_-Ty
z)EQG6j8_ef_Qq5vs%aPwJ8<)}^3r$L)+3o6)%2KEN9~TMUiY*Oi2Uf6z3tEepWwm=
zSx?==KzyxX5j9)AyRGt_{0(Kd=T<YzgTa+654;FAMf<iKi4QlUoUQquD?u+a1E7bx
zTNV>joXw)#SWj_mWTf@bo|p}`_&IoLp66iO4{>TIOGF1J#=(}<JiMag%Fj!lLVM-Z
zBm+onARH|H;RoeZWu2B%KftsO!*Ce?C7073nuF&lrah$HiONz@X|<ekt*i(~w+$8+
z6PGhbI7p*VQyK(F9}fZ+c&1pKx{ecRmcSNVq{)Pa`y6v)?;)8f4k~<S5sN%@2whQz
z#a0=21Z^K>lOT%F7)MijDjZC|Vn4WM<%W}6Ok@1Sq7w>{X=gV9!;0#G(9g<+HN;sn
zfaM8s@!~Avfrh{(&J(JX=|M@c8##rimk=Qtz*wEFrmmy86cS9Bhzw7;Jaf3V667bD
z@-dF<lWgRuLbJ~%8I6;m>`&Fl1e~P{8jPd`-4NEJ0R7rKK0+yGTT7@f%-jHtBjQvn
zVB>&C*Hz%M*qClUf%Y(Yz=>g7hVl$Y7j9z+e?(2Okz4D&?Cc!i^}`SR8}Bo@pt>9V
z@drNv4HcT4kaX>d9-MNoY#>4OJ-w~1$P1V9B!u&tAEQ~!<8MaLWB^;|hsyae0n{F_
z#%4!vA3si#&+l-*%TENJuwC<~z_5=W3zrdWM-=|7JpA2O6BIe2c9Afhq+y)PS<Kee
zne`=1n^D!HY6+L)27laWV|LHSK@diCH3!-Xmq^NFil@=-c?~4qMqk%mP8;Cz^;ATu
z&X8WGp(v=@ZAhs`*Fl&Ynk?cwK^1Sa=k}ioOyM{~+J|~pkfFl#h=b|;+Qz_C{Fc1i
z3QQPEUERAx-O<?LBASp|E%X}a?2HIq(-zrM!40-e>6UJ(&<EyT(@-{WZ&@ck6<RaN
zQP1@%!=m!kP#<Wg$?qBzFLM*o@&|fbEfR#$^cap&oWx>@fK!3eAe17b8a_BqLGxVt
zd3R<76~W6Bxd8`uh>PPlO`}y0V>Hh5X|~&Hjlz69>o*6<q%}!Chfx%?u5n)sQe33d
z3bSm6v)0a&N2d5yP(;(potLM_Z@M4BLx0ol_52szj~)N@>$cx{_3`LfdhM*x<xe_J
zBe*4Zr8CrutjVQwkOpFj;7hYo7u!<MN#Z$9b9PQ<j2E!Sv3^_yJSb-PxFu}rGX{n$
zLmP@LBfp+BbI?o197OV6StI+5wLRnPQ;Q80Ov59-TL88{i?pXby_PzR_@Is=YBqi8
zV~7vw5aOL9QL)?sL`^z6eUTw|>1MjyD4s=;wNt`<D9An#WSD*!*mRbS>jDF#f-aCv
zMdP~8K^5%5XTbrPy8|V+tJ)c=YmEEWgkQ5O*AVJfmUye-Y(rE|8VAu5ZI#jOI{2W{
z-?%2!VhEcX_9b*o)XeKaw-h2OE%KnB8ARCxlIBfz3m~cTnSSFTAY3^5M%iL4Tfyb<
z#&`-SB~aLLQ)Yzo^#IE51;{3Ya(7>InuhaWaH|s`#`$%UURk$S{&-&7HOW_matd$#
zxCe-9+|R;%c@Xw^mE${X51ZyjG>m!QPzl7<g;W;GDh}PvfWFgqNB;2#`i>RIuiRB}
zJZgsOopbh$iLe1OgDc2UHcn>IkY1eE$0$kyc2{D+Z%agCXia%v;vL^m(VvA8q)}jB
zTreDxc;xMyeX;5uq;$6_>GL9tMD~0Vu!CL{V5@~bO_Jd(!k^GQNJEGdgLx1}?A|m^
zELy3FZ>C8Km$s0O2+`}52oyuzg|XVOq0y@6F{toX>;IuFnWY2#hVDgpd-{6MyfLzQ
znKdWD^gOOLYV#mP^p$qrd0dxiZ2C-afc|`cUhAFtXK#DwwGWUJxW@f$91eGhq|D?k
zGDhu>e&?0D#WuVGte{ozZKu=i74)^8&DaZx3tAuehp*qBb_-fx1YtBwvEAB#d-k$>
zbavSB&#bn=EFa@IXSeH@wRDYGZS5Yn2BBc|8k9mBXpjmhp+PF7NAK{(kwwFB6uWCW
zIUSDT0zQ)#MO-GWig`?07IB!gRL66-#iW^N8U7Ux(2yBJ=Mx&zrD{1BoHL1*viVbM
z)QrY#<I+Wn@n@0Y`mKA~J3KzxMd!6g&F9TW=QXCyyZ=1v9+9GtFa4wa-b?>g_v6{&
zo9^-3vt6|F=n=nV_sBmx{H^=ZKRIz#e2RWlEAMv?{I{>qKECaBPd^?Wopn$B4y+4_
z29ME?=;uf7R=w`&Z{5?6r`><N?e@-;HcI_sJwrFQN$L>Y0_wVx46&|W#ABghh$;>z
zIGN=%IAqyyQStqGt$TX<@m;swJ>37O4~mOGNd>PI98jwmm|k2CijlAwm|4LS<9~^R
zC?78}d?r&L-yHVd_-CD$j&AHK<#_Y@heyBpuMhW2Ac`900Ht`pJ@S9^4`2K3*IftL
zf_mk^*_<ec?5b2D2S=}tj^7=9?4F(;pSlD=FPE(A;lV5o^V>z3*Ev2q>;CiX<Ka=S
z+ffu)X_a!kPfm}|jyuP%%V0X{lmk6`-6Mz`b?H=UpB}&J9ytIP)LRO83EqV@m+IhM
z*MC(FoYpD_-07a49Uf5A+Ii_8z393oi?dca;N#Q77l);D+NvQ1@N68WLo^N2#bi(@
z`d_=9Gv@%T8VhL9j(^nYzJBe5XI5BfejoT}{_EnI&59)z_VFA?2^`=Kvz$2Ri&&A9
z?$Q3?(Tid$A}W+4{pPUOJ3M;v@x(v%-*nHqE)C+SLtPXB6TB4ptH@DN4Xe`{iwe>p
zhZ6uHfx|-ld9B$Jj{qH`D|)H;Nt)!zAc+p+j3_${O~l>e^cS<`>aF7H65`9Vvy&c5
z@$a(`77euoA-z(Zr*b`60QY*s1(18}j&BJbo||<Clx~s$Wm=FmCIM6dA)NzX6H(u0
zIAw0n3iO<j$o4`kDYB#XaF7|^zWWX6tGY_nq&0`XCaU&uI=>HHGid+7D69L8)wH#V
zuqNsr!~Xs^VKxc!!FUDozCC@-PFC>K4Mb%JY+EZR2f9iKm%c)8--P0ZxveI-gEDKP
zc?YL?cmc6Gdtc8AbZ25ckg#C)?FbK1ALrK?Q}W|1&%O!09X?Yv%?l{AJl$y)oEio0
zfcHKg9vvKie0%yD2*_8IhuqC*vIXU4l8#z9-hSI_4U<9EdWZWh9um+m_+uxDb9}?@
zT6Qy;*0_g(rCq@ZKzx%6OWQyh#^}6;ekvT_w_vvs<Sf8z2Z5Gnw3GH?o%?Mp61FQa
z;2rL7<HLQKZbl(J&m(|-lbPj=v8(A_NR%}Zou<=HFkBC`0=2<F1T>{Y><Op7mGp-l
zeNl>o;Vqid?!E~h^mwA00XBiwM0xts{evJ6q7~>KLu<G(E@Wqpa-2@WI1uj|3D5-r
zPGiw;LTfcftfsU{khRizJvzlf^#`F`>@?e=<lc~4p`Pz4+flg!#hIfd_GHqXlk9zp
z-+;nKE~c8i4hpP^wj^Tf1n~ez(MqIcWJK3Nh6WrCKO9El*>6H%JvmiPUz-ZclUFQ;
z<dbPsr#rc`2KU)AdLgu+1zW8D#O{gao}Fg)zW<^(zWe0C5S)zs4X4C1t`^2M(400e
zMi}t}Pn>u9eg#%o(wP65(j%+Wd(YEk9u6H_(2Yx+l#PxmjHdJvVDF<=Mm4TKwQuau
z5hEN#pT7TcUX#$^#s{IX&uhSp`{1`c4y$*%{J<9->fP6#+U7c#+13!LJwpaOU7ESr
zTXdn(;};Z#{WM5#8`Ae|AVE!ZhxWwGF=)irj)N=<M=@NZ+o%TT*uz?)wOmtvdA;S-
zCTCIBN#dBkCaj$%S2$iyqrmh&d)*^t3=G(aKEV1WM!~tRRc#xJNU;e@-y>DvpmoTg
zJp^hmo)jo1$R;TM4hL83q4qTnt{wuV-*x?0OHx@7VNDdKVeabrdTDj})11QkCiK;}
zo>Y_89{rlg%JltVJP)F96=yx9ExE};;<(}0C#tdeq?)RZ!LNy|Z{w>txn9M-1u>e@
z#@6}CZ$MIQGfOo=)nQwdELxx7bZxfiri4~OMW8l=<yv2|;5aI&Fr2A$8yQC}6-seZ
z*aB5pRfXrscUpk#Iw}M!Z)dePYuK%;2ji}%LUN^8EHI8r8g;GNC#k8;LRQ~eE4P}N
zHO$sV;=<WpucJb6M$8rrS1lDvp{Hy?DymrstwP$1>lQ+k-cC6*QBQ^B-Y{YTa#piv
zO*!Z7Iu6chhOmfnY9(9Z%dxQQXcDN}4O{k<QfNgZN+=~W;Vhw(0!)xNmhxWAl;UNE
z54#S<(^#NA^I$}Kbzr6K9SgZ1c8hF8DI{YF{==@zI+WvLtTGZr9BRK5hI9Gs!)~#C
zD21jjOnlh2RQe)qbu`@Sx)hGJ4eG<Ld%l)JG4j$Mc3pO15eQP!>?u^*-Wj8R*e%qu
z%K%eIQ>;3d0Z1Y(6PVDPrGWJO^oL!CHLGqfiEP@*(zb@@{bARoP8Wip%wm_7Y@Ek;
z(&v_!^5Hau<G)ae-jlMWdD`d;5_#zu4rX735k7)%Q5fSRc++kJ4U%X!iTN+M6RQC!
zIe^JLV3ufCyzyqUSr;cel1Vqt(-3F;(Fo_tmGf}smf<KN0F+5Et=H-G&wGDE@9AaI
zP?O$-{b6fMJ=DraB%i?0<WDh1`A8Y8e5j3Di7{aK%<I?I2?XVb*hPCfZoz>F=NkQ#
zbAU>97KrRAch;aEez0qVvD@Nl;Spte2X17BDx8I8tM?{+^>TR3TE_TVg(a?CVEI(@
z76G-HYO~FD7fFih6w~)t_?F$d{sAQyJk^VtAgNT{vbrLTKNz>9-)W-Csb3VhL3xjJ
zGF|TUl5+Uy$bZw_Mdvj<YhL3%4u|3-lX1jpM-;Hu{2Gim{y#sq|8>^w?V?|Ho<Cmd
zFcH1Y^GDQ;K~UhT#Wc7j^z7f}7_Jl!P&>%*&woW2Dh*k}qDdM;V|MW)Y2ZU^--1D#
z$`<_c#j`PXLzh+YO)!~8(3ZsC39Vj#|Lk!C?L68cAHOuv&d$z<Emo)1BDw&b*Lp90
z%la>V**mY1l9oLe1vG)Xxir|%lR%a>Q#_mvaJ?Q31`T+@F{qtjFhD=;p&q3RQD>cT
z0Q05}bsFfrc3y-1=0uzr&Ck*x&MuO4LSJflfb+o^UO@X22XNOWdjm;=rcn^aaPdcz
zQYXB)-G*bZyw2?uTl^RUn9Ks4$v1^LxWQY&Io~WKq*t!!#wkWu_?BK+4wHx8w#^n=
zn?-D6P|p%}Ci;Tl#BTy>vQnLYU*s>sOPS|AukFG_KCfM2JlzhWaE|HR(5vS-&bR3`
z6{N{|?XS-Zs}TZHxaT!xD@f}yOJWZV#zC6ld~cRtZ2w}x7{bBTT_pd`Yj2XcfgV3Y
z{xn68A3c7A9{s%g_?O+Me?>3eoLLZX9*j%~?^@^Q=d~w~w*U3=x5x3@7jK{MJjTiX
z{P3qV`StO?evhB_d{V;#cC$TAu5pTo+x=TUr0&f$g(IJ`>RrK<Fge9}!{>!^RW6wd
zsX7&mMQVO<eU_&0AAQj6l(p0s3<mF6O`@3L>&^#zB@W5C84L!x>ZXQ)VN8|K9(vzw
zasd;@VT%LSTEH#bT5~?%*;pIsi&z|FILM~@<QBK!i}x%HlF2lIyN=lnhT-6f{Gz4u
z@_%a{vl_=z9fX4`2zAw3Fe?#yMgFOEl&kgJ6P}n{vs|CNlt>JXJ@kdl5h7VTM6dP9
zx5wn$fP8yGuR<Wr2nuzsI^IJY)_}gSN15slh=l^GfhD6hRW`G@q=?m1oW|xw809#v
zvyxYs-ql4aH^X=k&4xHr%G8!_-CyT|OQe=Iq(2)(KDW5YI2^$&!gyMrgi#b`c#y<H
zYb36_bIdz)GMuxZqh5zHanV%+X|VZJ(XpW~T9XEGoF>=)MJ^&44L{~t3p4|`#Lh7e
z))&2BLh+<b5>R@zZ*$xWKV!}<Jq)1_scl7jh85&ZyrLHEDCsl5l6<YdR|`KFli6(8
z%)-yujd_^$f(fQ+llm-;b{c4wMvqP0p?rrswx_S5>Q<9J_w1^V^{S7JsvJ)ac5jcj
zEAdokc^GBZ+Cq8O`hVHE{}%hd&9+P|p38RS<*J}s**XU6ixo7XyGoca?3UrCt58|R
z4!FdX;Hc-UwjXE>o6T0U>8SO^5ORq*ZIO+G6b~u3>gw1$NEwg(>9m*AO*6__f4xk|
zo&NZ}@$<a)_UQ2F@a)ikefV#Fp!5+vPHB{Qi^1cG7=F-mhXPX{F9(TZ^;iS61V;OZ
zJp<Ge3Q8}a=R@_@a7fg6RCH2Q-HA*p(>sV<Yn7U-1M7zwgRFPe)Hq<SIYQ_34Tx3|
z%|Pp=%q61wojK1sDn!CQ1}3lq+$2K_5M!qU#6?4_OA4mW;!Y#(wH9FstY#ALhZ$?G
zy~_lu3`H4#&fYpX4m0hlLdT`$RMX0}<A7bl8fMKH-{kxzH%&1#%PtC0`$Np@W#F4^
zdEdF$Zvjec62SkM{%2hn748agDZqhW{^VBX^-tnjV%N!pgkEXM&n2+Y@+$%jE6wrH
zuM2b_Enf*L#6fpCmKuQpr0H1uFT!D!?#^rGRnGEOEJt6;S9uS<W2lRgW1!uNY__Nt
z7Mg=o?#gx#vxF6D#<HLz!C;p0<1cmn;}0aC%#(149-+VUFT46x+p7t~eL7rlO!bce
z-$J7DO6`->aCZ1HxZm*p6td3#**e^1nHuP0zkxmu6sWBh^5OC-V(!F6yy6XA@Y=2n
zWqC5q_<eaS22PV}(k9H&jC4$hlZM*63MungE0tx+Bb#md^?Hl*S|Gom{Z*Y8Pepow
z_E7y}U&tNx1q?*`MTqp9;wDzL{-CJ-pg9Pls7@GTrRtq0*ai{gJlJLLe5Ym~UnD73
zt|w>NQH>I1ZViBS=*vRM;mR>eM)mWWbTHtRzeGgTt@aiw%QB@8ObN=FQX(Brrj#&|
zG9}>g`9hRLLVSekSX>I^3^rG2G8_+`en)m4f{~L1wG<t^xxUC9+I8uvl`a{Ue^Oi=
z&K9!C_XQcijTh?3KNi%-$_slWRf-WpF2CITGtA85VkPeTHQ$#f@icX~`loug#cqiD
z$8Hw4mOOPRWqsZi7Zuqq^^YgR3ap{}SJG4YBvSv1#9<9AQzM~je(CzI$8Z-Lxf4y_
zHO#CUCs!GC5lBH+W6#XxRZv`!C20RQq=$&s;%2F=S(l(YED;|&z8PRV#6$G`mx?a$
z==!A<v+%zHiBYYw&Fc~^K25URc$u54Yy15x)ml_bEtF|e<852&-N42hT9nNp7Of#C
zz>ZOeahTJ&KSZ}UH!S^v_{;Re*F&DZ@mcx_t6{GC2wx9(X`f*md<EVtr?qDElmJ0u
z3fEto?j9-&7SzlPJAk6;f)!nW2<LGBdOVxDRXV9a`b*u#+`u!`UW>P|R@!;ds~Te{
z&m2JpEv>t>!Qw`Fbz|&MbY;eO0i$a`G|eU_?!FZ$68e4}!YYzp7z4}K-WoB4n2^`X
z>$MxGKg(T}SdgS{aj@ryNg^S;h4d)(ZtvldDCt?tkF+`FqV38ivc!WmCSuWCfhoP^
z7F>8A17G;06)U*F6@;}4`vAoA(<;)*TU-Yjedpx>hjV)E|My>*`n{WEpKSST@Z*7I
z30z5_@VeN@RFCPrHVJ9=r@;7C8@mM-8Ws^_6^z?OFA>N)C1@_c%tbCOSu40zXI`pS
zTi0_EW~p9QJRh@EAI?)V6({McI#}R*UCG(4D(Dp_y1tluvKC!J)|V>Z;XdtXsin$`
zFdpG_nuamF9pn86DY)d{ILK_;)Ls7BcNVxNp5yekURR!h>a;4pfApc5jf2Nee+E6N
z6tTxf3X1J%!TDfJHyXZ8qXxtw<?El|63WpW#utfE3eYHTEvJxeB@425xPMCT<2k`8
zs4I9g0$pt6%cN6L1jkMDAdEBf?VU=UUG(18n(%gpQ+|U|qr5^pN(NUD#TXSoG#q+~
z{28Pu8gUY{ZKbEoRw%9-<wSi*UnlP}j1)%3Zgph+=%kWkXpV5+Q>t>nO?Lm$;jn?e
zpftGN@1D}Pn%coKPeZC*7NjE)59!Wp{0awWh=iQP(mGIzi8wp#IdaW7`Z6*Dwpybs
zy#mk*CTM9kMVE4XU8FsoehL5MCqCGHRGb|JEecX8{S*gR)!_q@jN&(&6f(*hT#*^9
ze=58<1znHBNL*e<ypiv}a7AM;ar3{$DN;N<d6~$H1Jo?AbBMf)Z#PJKhsTNo6z1PK
zI0E_`42&mO790@wb>GSiiZTwaSVSu2UKp!+7o~_OkOEs~=?;gYwv2+|8yA=iqP}No
zM9dxM$OjTxyg#q?h5h=VdD8N0;f9}7uE9{t;&cr>S5tl(V$a$apPGjkobCI`@Ro$=
zY-<3k``$cw@L}=rTWnIc4=TVL%m0q*bdUl;QdHk^guJ^})g0gC^(`xcT1FVqq5@$B
z@C7nam2+ih6_cw5O7SpESujgqNyh)5;hVex$7EoiE<K>ghwbEC%HP-Tatd^V?C`vj
zE5}0xJ-d+MTT}o8unS>C_G2<c2V0Wit>ZBhN~6To6A;BGS5AIg3d|AFIGqLkdNv8h
zdNn8i<18yQ4ycIu{I8S={I8H1dW8a}@V^4)@IN<`_+J6D_@A3;{O`{3ylUBqFj#V+
zWD}CCR1Q!ib;v|=tL%#~4x-3X+YeRW$c2fbq>UM5TS*)CqP(iiz$6*sh+n|5@bw>6
ziH6EcL5ePesRCSfMNIJ(A5~DxFa9XG(5MP<#WhD?(E1M>SR2J<28X}Cwq@2)+gsTi
zM|-o5J|=$FwE-un8un42hIXiB*(8&3kVt(GW_^Tnf0mCs;~<J~Ji_2~O_L0so{@+O
zo^YK8Hx?hpIZo*<^a8((nH8AgXU1Bfwb~Kk99<hEQHo-N+N{X%BEjrA@NZ^$kmlLD
zFdx_XD=fhOGSrjYnc$p!^-ucSo8W-EqdWBd7spfU?duxWCV@AJve_5<{)_pj99iu=
z)k5-8hPY#b*9&?#C4_k}=3LU6o1(+onDbX_L%qsa-5fB>L_}gjY?{04khQ1BS7z8Q
z607}kZ_jzHVfJSuWW`2ep+6Ylx{-7=Y1O2Gl#^W!GtK6Aq3<RS>K3>)=d}(Co6gvI
zZC4QF@_kI_cB|nK9qrtsOV>0M=T<dK^-oprwnE$JMfa?57OUudSd`^1H31BPEgu%A
zbI4pR!e&btVNa(k4oW7IARYo6w6{1rSP-P6*#yUVG5gPJaS{)Jts)>LUT_m07m5Ub
zmDMh)^OKXJ`HZLuc7(D5z%~i$01AuM1rQ_JTRc>!iD(j%i+d*M!uNup%XV#3(C#52
zi0ug&Q_Rt7bD_u{1HBE`ufCcvEAm5+7hS=7v#4ucD9)#A&|bD5;*ie?&c_J|`pI$c
z%qidxN4p^wKJJ>^I)P>;yBFa9+I1lzqT5ASNqDHV1cL#d=JLH46c1f??0cvX+&w`E
z%rE3?y51OX(5N&I(QG#1k^)Uc8?F^R1Z*d~ax#_{GpQ-5kzAD&%7jNrC7REutZ;^J
z+$)W=5=~|n7SGbiS^B{eN#!@sLot`F@T8o6`pu9K;tE+uBbJv1_HKLwTL8T4zEQ1s
zAdb`rafD6VYp8hJPlSUo3v4G*4fKDr693IgII|KB^u^e}tfc|IQl{c-<R>8EOzh7|
zil;$}d*LW1GlfT*2V{DNpS9=r%TKH?9pOZK)6u=vA+z7s^XjC8P1{W)Z}-Tsw+og?
zQ!FJuf3kFiE|T|7RuDR@o}^I1q@_ImRRY-&&bO8RR*q$J;lmSEQ|7$c@vBp?$^zMM
z7t@hh;b2d}Q3UgxR&h(W^ox`B-?>^U&nkO9uf1U#i8D%Jq%pmqf4<nPzU=u9?YRWh
z65?z&B?bu(2}^@~mSR5|C25$CCz%_>`}3M;w4L!*+d(u+vh&&pdiQO>f%GulK55GL
zAibUD$u3eWzCW+g#{lfS_Q4RBagdFz7UW?;{b?{9hVjU1!k#-?-EG;^d`d-rKN-O6
zI^`?y)f2rWw09`z|Je9m6U;`r#91n00iChQJb=rOSTGqtjf>k!5ed<TTfB;)9$9DB
z8V-X38%GU&=&l9HyrRSHmcFV8^pLKXR<ZDFx9%xk)xHbewsGrTXp0vy>BD5OO_U&+
zx=vxD>1tA?IGH1rXekh(NH^*?P)NiTfVh#Tz*Q|$t&SE@9BXtoELmC5)hKFL<!IRL
z#FNTCbtglLd8L0LYJzuRp-?dq3AGgv;tZE{&q+hpDw&kO;WWIsU21BU*ke~<{hw=)
z3o$F6`US`ecDV3)V7A;DRWD`CrSukM^&3S3x^#-SclhGyK56~}JpP;T|GEi(5S-N$
z{U8N@<^(?x!?h>&H<5H+?B3j!H_VmieMdN_UZ^~zNX?ym+vy&|u*qJ);m*XG`*{|3
zyqS4j(d$;KqCHfnVEARDdLDItUNfZY@5rn_>r-o0-!ZE08db{@ijLsKJ?G^6whN@b
zQ9eh{{Ij<`hpt{!XTX!D%4+f5VUUDo0YcnIw@|#-rCo|NfROFAtAYDom8~v5iizB!
zRLWZV-XYlvoMx*w4dG-hF>1T2D1!Rt4aM$r`>xwt_?c0DQwoKzTcaSut~F!h$QOTe
zg}OVILv?PW<AwGv6<#7%rT7DPu!a8kLuX@izkA@neSJn>V|I9S);-nVP$(g~e8pmT
z;{A31c-!rrxvol9iAC(Ln@F%kr;gu|%2SJ7k;Q)skwAgC$)s2`rM3ISA#I{)lC7c_
zMfHQh)hJD7@sKN%4~<$JOmJ4)eP7GRVODF@Kvi{;A+9xQ6jM@bLZM`}-J0ilUElW`
z9pCRX-unLA#v9*%)9Ctsw{h(I$MDVT`kkk3`tZ>A4`~TheC7MEXger?X8`Mk@4pa@
zqkXe@*7p4w0|^iQ;rsuf-(=tLlY9^upZ6(DfFZGf55VG`@4pj0KI<rT0FLaNL!7oH
zMDqKLHh~W)ARnY)NE-`!h+Zz+v}+FW$m|rrXq{fRO;SK@(Vy~6H0cOTUYaBV(#zok
z1b7DDpbB(nR1stJ2_lCSpw52J_upN<B%S&u=M9=0;~Dt=z!(LsEUWZ<zb9FBpg<Vy
z`~HY=`gY&<Z}$Zm<}a0cVaNAFM&Iib-@iVQ^?HD`^5OGu3ILEdXdd`}00pE<-Z2`}
z+VCOBM+$b@6a;(-Id4-UYBMKpH~!`O|B{0inBJ6?klx7Ge^QX}!9nJ00SQb|M0pJ$
zHEK-n3z8IjFfjqHHo?>OCVJcyT|mY-$j@s5sZnFT7LZVpgDh>hFi35tr)vQzH58q3
zYXG?cA=&^fH-P1OK^pTF`#x5Mer*B)C0X0|GsP)^vd$(3xI}liZQs9b%kg!pz%Ifh
zFsK~lP9>&`fZTvJ*#O85sJQhoXbFi}2lJNbZXMHW1B_i_1YfT^LtSZ{y4jq2u>oH|
z)3i_40y1p-ekdo(v$X&nwS9jifj(Ue&<zYeY5RU6@f@$FCB6nluiCzUC4oL)3($2;
z!NO^#0iSMUnth{*y#aHzUMvl|h}s^FQlZBU1V8H?#O5aG2Jl=jH5Zvl1zJW6nx<_!
zC+zNaDoZA9-=8q6N=64rcEG5Sul<FHsy)mr`&<kgZsX@}Y<k}&nXq163eYx?UD|+8
zvW_qvN-F)hO%VkucBS1|1IP^s*akp;J=QHUDId3e|FP6)^R?*uM{VDKB!TAl1=?G{
zv~GY?8*n)`pb9pC<pw~mmpz6+Xj5v;1Y#rM(7Iit-U3dCVus1%)_n)E2=UgdosAwf
z;Q61*HP%$mdNM%kB{hItZ_wUbAo08b2Vn!;+W^RQD})W;xybC(6wi7b=?#GVdal!^
zCi^;wvcw3!a(7>kKZZ<eZq<BqGQHl3xhatAmD}C|&iA@q6ac!Bl<r1=Zo~*|AXNBM
zu&K9zOAK(jYxS8nLYuEY6P=Ej_Asr?`#DQw)(=2x?s~iykeXxpY%L(ykqX`Dz!#C1
z_4c>{QZM2K{8t1Yz6kafNDOR5O>V#k+DP`tIX&+O^4<DVZR?Hx0ptdfGf=U+RujGf
z_N?2v*%Z$=0CF9{oB{IxY?f#P?Abtg@MoDn>t#@Hfp}xR`meV@LRH&Vv*ON1gKXN!
z?wt?mEs#~bZu|bV<o@)&adB^f0BF6!u>tOH3QLUx>oKSsaiTUb^!0+2QYH_I`F`ir
zlP8vpLs{?>zJa3e@FQu;DZUOrSq3t+uXxz<1R2!%dEfVc-j^^){rLf)LcX4O#__B2
z4_`l_C68Ol$Ur*{_k^7ll;aRugW?E>y7Y;+ugsE;IFF_efK5(GDEKK4)QO7p_!>d^
zjG_$a$g_Le$;V3zto&v)(df@Nau(Kx@fyf>>?4N)?eRX9AK&l%lcFvC9Z3xrN&<p4
z@I^UZ$YM!iK!NAcBgSHhoIHC7Kj8za7zL8T@?a{*KR?g~>2wk4-0(*sWq|p{c~D?E
zjGAw}i}n>lNwz^_UT4}-BoJJ(j(#>%n<_140A1&13ma=<@{|giqB#IXsKb0McnaOf
z9*hZMwUK=1sHQJXROL4b-0|Vj^T7g3PqCTRz)0;KbD>9+{8p@y;e+khHcsctZ<2{}
zZU{{W>^xXRuGaHWD4mQaQa%sGA!1EFr>cAco!B~r<U2HyXOe~f+gGGkQU;npZ7CpH
z$o8DE%VoFVL)kEI!jP4ql+}a>g*AmlDo6@jZz5hGi>*VaYF_)$l}P8I4E?!#=*G;D
z?W7(Qev3!-ptP0}VPny&)iDH|x){Rhw7ECwa+}~oms6=2JnCdHvT?Kcxy_$&EpyW@
zV1iDRHVwGsh&4WsI~-3*90N~-1ApE3{lD%jL-?iR`@a<4wDA1bB?zIl%sYy@U@$Cp
zNP91u?c0^5`V-xF)caEhuer!Oly2nf1vOSK8>GdUPuX<^%MNtP+Sy3lv}M<xlKftv
z2V15t_tnvQ)J;`*<IzY~gy%&P_0-I!>&5+I8@6FTX#vj=FqNi4emmw~pGQSVS{g(7
zi6$PsOv8u;L{zG9Q?o_SRG-K-=M1f6m^6*lJC+-6dr<!@_8|Zu$dh3SWKS-|EBk=9
zT5qlHB8*z&$5QN;u@(GuJ>wz}ca@MpMuL(GMN^P8zUe59MF*Y|7)tC!s#F(~OI1vy
z@s@m(ADZ@y-H};of6~x;R4GdHXY?YBUt7^wMy#Y!;*uSo@%>Jpq9b8TB;?SbG4CZ-
z^`fR!TJ2)6E@l~s`F<zunC;|PWV9zItrR(F=V=qyw6P)F?9;|f-%2E9tZk?z1Eism
z4ZY6^^SMj)w=ut=j?10m=zZQ-2FP%fLj**buOWM145Pez&oSFBMWhVUgVeo^yzI;+
zp1K#wq`uJH8<Jt@g;ye_0N={#y#PxzzU&-&y27K4U8IyAw2LQ;G3%ylj@^Z;R3;qF
ze1DzDN%$Ia^RDR(nPib{m1rA*MOUUInWRXIeJC?VtV|{Yq0A@#vL<GLDp&4#TXot?
zEkw=(C<61cZNt=Y_vp&D5&)QhZ9jPK>OzJByxOHxm9q|AO4c=>?B2(!{nAQ4w^y)G
zhWv1vXrY??aN4TH@Qyl*d)#*G*lq5l5${OH-bDl{wk{%Q0?dbQ_>rZ8?-0aiZhxT^
z5s$_?OLebxIxqHH$<N=sLU*rQ<o!vd{7&3U=W^C;%|9-2_T}L9SctXTTx3%i$^fCH
za(%_z)w#8fVR*e#acgXBsrNL>A;UM<Du5(|0Z=DR*SV@uikwHaqRiMVkCKMN^L-}{
zQa}rE_-s)`Hd&(k9jkl8kAVV%!$8TT<NJwIq3<hlpe9XShML>5*1j?|q`zuAs83be
zi$Qrb6C#!f7m?kiJ`6#ZGZ6$`hMKOZSXge-_Oh!aI@zv0n}$0byH-c4em4Y3JBbRX
z?-Qnm)%pNM7wml{Y5*XN%R=h*%hGV{eoCoLrE-OGsj&E1;sXv(6(`LEJ>91sukUv*
zDDeSBYv8>8XEhpgh`vXyzF61s;I30wen?VTOfm?`n2#cgDFm5@2ApK4E|E}JDmt8Y
z6)a>t!%5Fq$z>OEgi;CUJ}IMz%W^^!)suq<GDv_ABLLFjc9of-6T}G%8ml22JTUgH
zKJ8YyV_iNB=e(3dbFMjg)E*j(UWdA;Br0|kag)noHifw~b%h7WLEKobzdlC^<~wb(
zScYrxA-!4ISk5H*Q@42p=+1#QTXi*~dj&TgGgh^m{?hjSU!)%T?4FofF87H5W9kNv
zS_(VU>va9)Dr`qrBpSz_s-%?sm9=j>zJIIw1X@2&yGB1AMA_O(<iCr>4!C1%&EesN
zy0&CbrFp@+tlG+{F;xH5z{d9F^LAmzTL>fb0i^wAS4Ie8dDJ+8tZ{UQ(i~EXNsT9@
z*rPFuwDFaT@@g*2q;mP9yqps3Vr8LSUMN#vm?cIVCkG_27TX8FIU?7{rNbnruoOsT
zR**Jn*BtH}J)V;-9rIX6<w-{(K-nVY!hq0`I(C6gR+f5|=ox;zT%wU?nhQfqO<YS2
zTxvi)#s4$tD#!l-*Sen_I(_`L5B&kIbw70vU1}$z&tu=Y);-==hAv}Erk$Xr#7Bst
zN0YE(&U?!Cc0Mhlc7^X}0JrCSi{;;>;gSFg0?(EUPRR-we25h=kM7u(gydtrG_M<0
zdQsBi9?dI4RaImPD}QE{Wtu^i9|z&}UGURxiQ27D$o%)e70o0k5AR|4pzzZit5b!8
zAR(NC&)Z6f%TZC4wASC$JV&aQ7^Km{hW>+t=pv6J@bTypezBAbq{NEIa|>}Tx{Ws6
z&^0i4Cc`KhC%|lmZ?^iGc9q!2_d7=(r~+v(0ID<tazb=`duyRo&r<8U3g8=H#K%29
zP=wboIFI*z|FN+jIzA8z`?cvJLvy1?!`QvC9OJwrV^d1wLNFTfpS6Vuy;LB2-A<l$
z4h$e3=w7HLZ44(tY`wWe;tTyUho1ww>6rD6$Whq~=uyLF)K>t~7VNZ!=wS^lWD*YQ
zvuizg{i#)7Ri~!m^=OX9XrX{~29MM3{aeUyP+ttnqkEN%+Hw*?ZDmLv^{wtnqssbF
z*411a`c0~pj<5MoK4?H<j9Fmr`JIcj4Y09`5KQ)^jsU3K^_j8~<!(WE;L$tbq3o}1
z-~Ve{!RCb;VDGS6qmJ*7I%X~Ssnw4el^839a?xu&Q^)LeJ4bAWYSHRY;i48N=50m6
zNEe0;Qevk(@aPT%qXoMqU$#&l0Ew&?)qOZo`?>A=Kda4@2S5+2BgPfkLU}-1Jh56_
zb$tJ-qqI;ScvQ6;Eq-eI{!eNj$^+8k(rTf4-!82%U)S&zP2f}wtu+jv<)38><pGe`
zYQZLfY@s~xs5QKIi)zL@NnG7*c~M?|x~yqlF2H>#>xvi#RBKN}i3O@PqMLIu_29g2
z=SlmFs?y)vzW;k$fhCY*`plK5HxK1?6!%_Ml^D=$r{TK6H=!KqGufGV<|$b?M`LJX
zi-JejfuxH@bS<+Z410UX)3PB;GvHA#;F}HESBA`9v&UQI1w&>YfIZ~AWXMd9@F72c
zAVW6h-c7-fSrXYE^1Niozwi70?=p#cdGIiXY#5u*1w&@SU=R68$&i2U`2Nqzs%Q6M
z4B1e8&&(mSY!P$+q3c=K_h-s!0T$7*D8#19O$k+)Ljd26Bjou55embY>=+a}VM4*C
zi#_~jCBrwC!p9FpC=4H>wN7pK%f9dbBB%b&1L5+5+HNJAcD3*OS8~YD9|)Hhv}r8r
zw1>R&=hJpZSnzb6HjTj+Lw+D;d_kMG(p;W&e19Uj+<G8GuA0ki&!vPS^BN+B>d`fH
zs3S+ArZQx5MjPN0`J&yyYK9S@!#Hh};(e0>qKT(0F34i7^<~H2fniLEn|<Ykn|jP#
z4p$P-c*eVV(zUyh7{LdOObzxm8nzZhLI|E?T&@oFw7BSQyrJ%7npW%XQths%uMvFf
zsbf1kMk}#msOLtXS;xLik$mG@uS1tqRlWgifS^c&v2j9vgZ{cA2UreTqh{PyXs_vq
zr){h`z4pX?TA~xpx2!x6ow%S&$EKt`<mZ1r%V*^0F1u^=Z_L-9K9C_-MRWHt_77CB
ztBn19Tsreovj;Nd1zkE&n)ZOle?A@?i;r_-z=5yjSYOE95CX14VgN%r6FenMzh7-O
z0iiaHuK?k$ySBO$k_xCtb+fZJV-D1&J|$CY&e}}jE85Cavh-$c77Idc>f3lqZrZHP
z6h73Z>eEvev&`DeX@=UAMIN=kYoN(;+)-&lWeS9_025|Epf<(IqtSaM=Os<@g4)aB
zy&QLzqhO&_b<|nT);=6(+&sFc0${s*JSZ?i8d!0Bol|h9L6pT~+qP}nwrxBABoj?+
z+qP{@Y+Dl>6C0b|t$o<qs(t;cAHM3Y>biaIx#yR{z~Tey?+@;CN)ttIg5RWm;zy$+
z`WC1%I%au}VTn(+Sr48QQJ@m9vMqfWW7!z;wMVV_g&#FN38IVG>ejD#w>Q7py2n`%
zA;}5R?<j&DS6dH@e<?hcA9En(W15AvoP#TbJo6KX>*gCyP#rW0Vw7D_vnQ&ur9PqN
zxH@(YOq$=z@-FXi2KIQ`3uo<7OpZK=j9wJm3^t=A!;zXef;(zsDveIfH@7zIt1Z4E
z%AM=5w~>Ozp*xb-EN=(Ys&UeI<@uZP{B1%W62H%?Ep&_KGxmy*unHQUS&`qIFl_%8
zDj-Jf^{F$*P_vsm2H)--GVbaj->Y(;LcEX?Ed{TpA8(vz++JH7Vh^Pp4vTl?GKVm{
z?tR%*=Qb!|pgl(hObJf2oRoYDi@A<p!<Q<^>rQmW`0sV-yabGSfra<pCN@HhmGfw}
z??M@x8y#?(K_xTuVR}ii&8M~Q)}esRxUFd@57sp`G*>w(hpQ)>Z37227sq1Ef}Bls
z^fI<lG1r5zr%P5jH+^v*<0dxi3|RndG_kGHISSfOmP*ToZkst57E{W`OAK=5sidC$
zRlX#Nigx41Kq*ZztC+CjtmlIX@VcPiuflvNRE-|^ksCv<&RMlrw$Nf=zrXJ459NkN
z@gvT^H&q*#M(ipz3Rc8a;v5E4O(!r9SzX;QDz3w<uIIO!m<dE#H&OSScvvcwcC`yu
z7AVHwh=fe76G9$5opgfIhiCOEGIUG;Ve=qj%CaMZ4T)2CS!{5jelUXK6=h<K3{2lN
zT*fw5vWn|47a*kixR_YV=krC(Ax6>L)eu-QHk{{Qv{b;AlZUPWx4&0b$T9?vZzFER
z_=o3Hx6%ZH#ngEh@wLyKsHHRO{aTH12S#ZH+;GK}H&sc1xMhD`M2Sn}ueWG84-7YV
zzTKd28|Rg7pYas91F!*}ALL;+cGs0B?|k9Khn@b#j33EJW_2!f=LQnMA41wZu3SX9
zt-m!CTne1|uT&H&M8(QhVDrqLMPScYD@4HEOnH5_uHV0|dJ9F}_~dM@7oU#njo_z-
zQ#2)R3?mJRfgnxf(&gm%yu`|yan%#K%A0k&7bx63S6hDRa9_%fUNzL=NrSBB^SW?!
zt|6lDmEF0hDR$8eK4CUjNvlJM(4QgW%tr4v-;_}#&I@xhuB??v)SWQGj6k&%Pijl~
zMlkqDjn?2%THCX+@Kq5F4kq~wu250d@-Ny*3$DNH>QAi`Lu2bpK}g*u52emdM9{;>
zzy)6qvdCk{)g;-^&CKm&S`ICGjv&E`JMe3P`g@BqQ-rZ0F3?nY=-85=5!PG|O8M+&
zDP_n`q!pGQ?e1oI)d#OC(w|&@<Jp><3k=}P{*B5wB?&1QxQ=O=`nZqH^N>Gdb~;)Z
z{B(m%>Z$c{#sKIyGfTIv0}b6oi>0X;da}t6v^sYLw~=mhx1<U?mfQSUB{u+on6uQ8
z13UYazVoTm-YVBCVaRcg$(<SS6v786e5r^o-=w0gFxBau`?06(x->RBl<J#j+`DGg
zD0{I{ndR#vBRGCn7qw|RUnk3F$97ilDGRFj@{X?N_rbZ?y|oPi@1e+VJYpi^@pb+w
zimcSzPe?RM`n9!O8fHhP?Qq$i?(vE$O&9b%f#HRV;FG4vZs%Y?Q#F6Kx}VW-Au>p{
z;Fx(FXZoxg5Q7I!nbE+l{6sQt6o1=!@xEGXH<6Tvjt^@;Lotwu|NZyzb4MS4N6oGJ
zC^V08+j;Hrb8h)|={)^?X5`2m7BDcw#Vzq{g1qyQ(?h+c>hoX@zxHcqigB&7dYL0g
zscVMSjkoOajbvJ4*lQmYXrh8NFGUfbn;>>zu{Je?nu*F;a#2aim^$bVU>Mi0H&Hm1
zUyR@5o4<oVT~XdUa|GX&GLSxuo1a76W+U`^`sbMtpG#_i2M{X~i7NSRt!t_r&_(8W
z7i7Ru1~6|XRS&Pc=2hAA#ShlYO_F^qV`S&K%Xrj=%E!xK7$(r)b#s<gu=Dkd9=~iu
z<$ZanxOf+==;|P+<jLfNS(~q$K<9d5>u!h@!`cb{TwwQsF1!ro$4#+>obkz>uc9Tr
zP8@00g&RD2>i{cn`KNXNS=P*+yL#1(@HlASy%AVN;a|kCL%>cED$d$!DbTX-jTr%V
z1lKOrz(#{hH~_@c77G27H-nsVm0!5VUN9Ne`cDM6vy-l<W|?0-f^v|T8BMWc5H?<k
z^Q#|JnvR<cxy>68L^&tA`9_|G^fm0BB5j=J{Z)!T$jDp*!GnSsduG+9*1WtOv!K7P
z_PaFqB!0m(T9Jm*G)-<)bI@yed0xAibjM^e=jXrlb6Z1!?J)74oAV72^hKyp1mYZ=
zTNZ#Ddwq^OkKzW~=Z(iCCSrL5Y#16rLY<ho7mC?18dCOHcur515f_d?oEIAw-Ak({
zPpye6M(l2G+YjF3GVapGsk3G{8QJ}+UC0!9hs$k<r_IZN)GrP*UH-P9EtlDfsW;!3
z8(vE+8_=jR&@qU*bz-RTccu)-WGyvlk3O@yzTwfu_>1~^I?*?%bxo+<l#i17YMmO;
z5G?0UWK`gNI#=S6#?Zh%EJf3x@V^tt%xdj~f>cn#)+9l^HC0-dq%l0k3@y87=T^nQ
zACZPpy7BR`K2eQZD0u?!%!^C91<1<u(ydP2P1pG>dMMLFA~s|8VWZrwH_Tn6B6I(G
zBq9APIq8B>!ZeAPL6lZ<mw^Y0B>US+;LnRt03zYmNg^_4pM4{FF2FoDhks9Z!9(xg
z1YPxDi3d&Y&EJDWp3%Ejcg;BxamDzF#YUD;3+2DSL_*WgS43jJ7ty|Bl|C}hy#8{a
zCiB`a?|T8-niCtBbl2SwhS~4W(P^XAL)^F;bR;xP8ZP$=ZUnkCPC*~$+~M?fywM(R
z!j*+9ndJZZZEGJ%l_mh4tOJ+wDDoIq`cU1~Y2lb(fTw{6ycblg0p$M)!x2?sIWM0)
znV1vkz1oQBo(Et^Gj1O<8FMzbdA)!LSm5vEH9(v9!U$2`HDNNKieHpNC$R*VE<;sR
z_@GzE%yokms8HBa-FkPE%P_RuE^Tbqmb1r1=&<%`I#o>gN5HY}mPK~tXm^+?WM_-d
zCB_;W%qllp&mI|YnYc*65T!>ZHt&phYdSnUIBJd*+6*LBHJ<D@tdUjWMNd9gxmHxp
zC{fVi2XshUK=1i^Y2m?jmCqDn)V!6**k<_C7Cl-**0jJR9Kin#b|=_Iotb!e{MUM=
zjEj)CTOlbbun0$^eiTm*_gX#aixqdgfK9Yo&{gZW{chAd@#w@(r~<-7k^}EC?zx1*
zNn=%Q+meQAxr~8+9&fpQbeJ4ct@EgrqB>s5!rimQxCkBUm~qaKPC+`mnYD-+xmlrv
z%#_TAs^!f_Qob+KlGyR{ig*-(u(y;Zzh900_r2_oOkMg16jLmY#VEH|`A3_QNt%jw
zE<CZ{bP(pXukifqOct<)>cEm`t!u)U8Lx@K$d@Utz7#Eqzc9e#ZdiBN7=D`?QLdkj
z@=G1C(MStQ9Q379d$c~Gxzag#ufR?Cp&|f<hBm61G?k@rE5+6FRl_B|K<Kx@kY1Td
zAkEwP%y;~^DH(+Qx%|BJsOQA3bEHyG`#9ov?UUFtUWR%(^ZP<ZPl4Ogk}kFg?=lqs
z`O8;Pti&cr@IFd#vF+t<e(XY!YfQm_O0BbP-;lKGbyb`GffRetxi0Y}+}@TkR0|A4
zn7mF!4o%v0YkERXiBe}uka~$UXuNx0BVnNoO0q4C$6w}<85jmLQuq%aLu4_m5Hzor
zl2#fF-9-fu4aVe?9KLnV68%Oo19>1bPJ<tM#vtz_4;nh>BZjM}4zI}_%uEkkbR<g~
zJ45S_=BljB+wm+WAB>CM(&U+ToY+Y9+QuSd-q6N3MeRm7ZA(tj_--{8@VWvUS8Jsv
z-*A*Y;j+1;vrzHT^P>l23O$`R<PEf*)81`$A1aOLPjV|)4oLPtT}@sGeogvDFQ`x)
zOGiW~I}E#~r&rjREcpV=lgRalhi;%rSU<rbBp6uBr_u_4Q|(ku>quF9wC(yxbv<*c
z!TBGkB$2y{UND=`h)su=kV{P26bC5EMyGG6m>O0U^STP>RJ4kaQUIx@Vl^zai>>(m
z?6o33c;w27Ru6o+nQRorgrW?5kTcWWI4B349M#gy)cU@1lTFynwNtBHXIc~CQNhs5
z>d|EwjCO~f9$O9}9Rb$8lzXq5*MOE;=hnAiR(|~3jt1K+3N%a-A|eC-?IpRaqEH><
z+WA>*r>bW1TwbC8j9j^Ic^QTpWd4?CyE4Adi`G)moDN7KiX*-<c?eNywj{rmQAm|^
zK+#u+>Q?aT-aFD{hw~XmNiHAz-p3Uhd+)E?4zWNQi@;>JaaZ`2W>r4(;-6TBsc95d
z3GC6HGPrKT#-2aqs@I4wRokE6KY_#l9Z<Z>2b5u=1qAeh5Ay#66vO<iH+6IXm^%O%
zY+NsWZC!CW8&5sHVbVP&3%b!VvOis94Xz0?OHu6~Xq00Wx7B1oEHlXpiT?m$DM#0Q
z|Aw9IpE8m<@6XPz8APN>00nU3#QZJ@uvT=<lp3J2A<Sp2LwcjY^bbBHOW5i5euOE=
zAEq-!&32nZqfESQIrB%#C~VbZ43JlbQ56AxeD_^)`P4a`#(mF^!mPLmxpcf*fuV3>
z41gIp-AgpTpdN43fc)Ijsb`zbf0PZl%ej8{CqhLc34JF&P|06~aaDjnZB{300@{Eu
z!;ZCe4dd3SM|=Ea90L{*F(kNjMErM7gt+AxD!vVENehhkh~8ZrV(i>2a=Q0t-hRVy
zS~>>sFnhCy+=vfmwkW0gd5^4voY|-jiSBAK8r9ofIg?V>0CIVu2@rTiM_JDa=-!oM
zS>E&6XvIfh^V&2!%f-xAz(PlX_iN`9#Mh6Lv?Q!mlsvfIeV>1Ha&o!*&Gd2mcKPw<
z!q&?rh#R*hx+Gas#hnih6=3O)Hma1!3{0K*C)rsD%Na>l0z4lbBU}{Z5MjaLLLa(G
z;;i2fOJ6TGG^py}zUg8%XtL>`=^uKfY&>^a@C=d!W;T5|3T40{-dy4!8dn%v%?*xp
zDA=4DsiB1}+mT%WlX!G4j*RzL-+T|4f^#Sf37OI^elWZg_};>zLL;0!kh4}juN1u4
zwheTI&=oUKrfdhAWRC%iM|=bM&2`}C&l(TxyhoMP@V^zW1)Nfgq7vf&Smh)f&?Elt
z?zfM+(u|W3-Q+(aJbIn7j!u@~bc*ndH|Y+QO3_feMj;|cGMS(up!<uKpmd8N2QcX%
zO|&0*)rGC8B!a)<UqGmi%u5a!Ph59d$ytF|b(2xwfETsZOHhLbP$gMqTCU^JGh^mU
zQU4*2mdRJ4>U0XwhNoN<Q-sDuq254B*nvvkr3-2fVv<jo!-`n)VK7o@2aR<iajmXb
z@mHI^0`sw)2F^COGe7#nJjh1MHhzb;076#akR1+kEW`CP_m42=tDZQ9K04Vy+#uw8
zh@SKM6(_X#;B|WWVFL)hNz4u$qE6Lv)rCq$qJ!^`WSJynwa?!mWUvdnt`m_59w!Qp
zBF{V|lZBt8u%(~ma%N#Nw^=&Zos4Y^(GZ&<9TO@4#>vaGR@48k!gl2HS4tyU8o)k=
zo#&zXj8vi>2fE*wg=)bFMtG5Xd}&qn4*hr4^iL*^fCqUuh|Zhm!;y0!FTjWAbh>y}
zsF!T7zYV2y<!4j}{J5>5V$Yx4j$*It1kNcgKg>0;1n-nUSx*E6kY|c@l0=K}p6!3N
zOGs>jelsy*ANom%YxF%Tu{IKT9mNds=KhxtKL}_l>9sfiWD;=E=?nHR$Ps<ncxxcQ
z`N{U2lpI8{(Q-^P2UIoN95s8(pn;X6`MWJP{*c@55Nb{kmYg;IpEFO;Ggn8BbLt{s
zjHPuLNI)MAuamZYr>wNoXws)c@<mh3A*;7+&{8&^7jE|~Q>ptUyDyz9GA$u4t@wm1
zf+}fSdL80-SjN|2=$l@{Zyx&owr~YXz!R{np5|HC+P0)tssh{_66O5~lQ||@^fn68
zyZBu|jn#-#rzIO9wxJm1g?Ph<P_UU#k0BW)UH`fkORS|ghCeLbP~@%e?6i35EY$YN
zB~*Ok+<K}r-v9u7XCji=I10QJIrh^yp>jrYYf?4eGdNOTZE^9{F2C=Pi5BXMDv#e<
z$=4fUw9VzZV=hKUbHX&s!0!$3N^@ukRzc|Cq0EUAdy?c{v0O`pg!r@C1I48H4}R?Q
zz6Hso3XW%GcMM#18_RCf3UcPYoKVTxpu{yjbI4ddhk1hx;M<;byP=G^(>7Kk=JGhh
z8i1(-T?&0^|H(D<9*Bq+)kB|&Jr+k6bTSN=)uVz=Ab|hG>hq8peDZ!!^hiG5G>|}#
zCDyx!`|wGzG{jen<PrP{K!)l~X$jepkEC*8{yB(1wdrH7j6o0xX%Lc1Ji`Gxui#NO
zV^$e5Z)2Yry>w17a{BDjyq7OF3NxbTGdLWuwDfC61Qx2Nv1078yl^6yC@enweptp=
z31ZTn&mAonTr#pdutn|OQ7iS=R%sB~xKl(eH8OCTi0JA{xD&PvztC}_wEMXACcys8
zkQklHMH}9W7hM~K9HVeQh$>%@xLw)5K3)s2A-mOrIO42p*lr;11zrZ-><LM*W^_1i
zay6-J^I6=HS`ncPGS$RWmb5pNt&-5av&5S%{g>(Jt*&f+AVZ`Ay%f~;O^jha{6)eP
zLG68PHv3;+iaStQNe|rhwm%X6t{3MAp1|82qkHR%4~e3_*U7zj^nRUGmS=8~a%U_w
z%n^L+IfpTqYjqY|jtmKdj@;pCt_nDoV;Y$fZpIDUz75Obzj;Vg7N+a7S$erjRa+U^
z?4TcfDz3f-Buy!=lUgkXxlhrXFy%n3Y^s9t7%2QUBlqECT_Aahy@EY!ZRZtdh(7?H
zcMrFhG*2Lz%?ogcknN=7t|TorUgK&678eDzi947i2qG+BaLPLwS@62OHPPhr_+b)Z
z-mKQR8j|)8G4tD`N<M9{k<Yf!`{}<UkKGN?w2Q{qyZHzr$a`ZR@z8KXmV!^_*>41W
zzBmwctF7<)U=Kp#KfURqcXhRUWcVVmD!~}dXZ9#b#>j$b`8+#wckHtBvijCiNB{C8
zzC-D%4~vKezW$}N&tzmxyiAaFLX>7O&UR|_kx;8=Pk8{$>H6jx&%CZ2U?_ToSrUB{
znnslc?eGAB|Ngjisj<h-Ugslidi_fgs06HsFnUl%x<)6qS+rjk2JN-Edlu|?pW240
z%%>l5&8weZW%A5f#S590Md6`a-!TaCdj^W2!9Oq7B8}~dG#_$@MgUkhHo`{*f0q<s
zNBV{?H*<rZu{R?2Ml>nl(!GWuA*g?BNyHwA8PsQ8p9cThzJj;N2Kq&C{1VF~kZrnw
zG~Imzc1qGW_V91NhJRbY9=%p_%pL!sX`w|I+OHL~5q%IE<BnAJuICu=WG(4FZxF|{
zQ)lum*zJAvO{u!nx~jZ2pwk?5a00mvcPcmYNRGKfkW7{6I-?Oj029My*}YwvSCnV!
zs@f0c{{{<$RB(MAz2A!B2P`FJ_U~#FWJi}xC=Ylicb^>Pm2A8o$%>tF94}*;V(JmR
z(;eFw5Y~kE5Cf84J5OJ2e~=siRY3E$n+p}8;hGP1QAjJrYn4blaPoox7U-QlW*1XG
z=b?F%tTeS6n~Q{(<hn~s5-9pv&KCKtXA+Bf8r7A$*PrM|XN=t1lqc-$7gVsL?`K@A
zuQX-G2Odk-<o{3uS~4&BC-qgCsX(=lP-LgTsAEA~vmYM<oJ+B&M@{UsiZ>iBTzQy7
zU=mY^9uVRU5<ElKZ#`D|w@QR*8qd$4dWQAv*kJXtWMEQ+D)H?NEcd5abMIe9AVI+Z
zc}(alIm&Nr73&52yD|+TEv7ROaf(r|B$!_7QBs2LlM!IIGte0+PT#zWvx^72oxd@#
zk6P+i7P<Z4sj0nFQm1D)WdgC}24F+lXkVDRVi0j;p{ZQ1o*u(j8fwm+BiZXatzuy6
zOmNNTv;uaSxzs0tE+y7#VVhECLlx2r_t|4WR<4p`WbnwCYF)m6>W_R$!E_&w2P5t(
zIo^sroD6P&WAYW!>`#}IbajlWZMIGp^JRoY)@;Q;-|Q{HmEwDzZsK&@DiLk9?~Bt3
zwXFFW`7O+M`KOwXvco>T#H8fwP~Be0!Xwet;jPmQvPY!l4jJw|B&@8KLCL!<>)kR7
z1}l}YaB63+9tiBQ#H1K@`b($ZJ86nrS7_D2-JO-LxD}6c%wB{vnyM&_ZI*>rFQ>7Q
z`5E^0A{6c{zH?KfzIm%U(WF_&2|R8&w=+-mI$A_r6}^1IOzV0b)*PokmseIPMEyLL
zdLa9t<shI}MH;@(M?YHP0^%m-1`ufvJ6wO;U%&{ulowz)1`Hi(B5zU4Z80RvzQBp5
z%`*iqiX1=rMiRTmzdF%K3UX4pyU9sXJPN#y9YpR6iMK2)q0Cjw<3S0sy0aTZNtc#c
zKpUGTD^(NO{G|CRwStiO9%vUMiN;ufV(|xdXdAq@uX(?Ct1lFo;f7!P5LWDd7_2>)
zgHk9p8eBsHo4$eN{;9ASib*nu(zB5P9zKd)zOXy0%3M$rK6ut2WHp@c80)69)?ioH
zuM+A}c~il8)b%=F*rTm$+d&0S5~am`BsPtqu=1k0)0lB`f8`6E)KG8j#Io1j1;+O?
zQe-0M-`BIio5Fe)Jip=d`*HIcMQ2NLizu9+-@9z~+$d1RD{KEZIjUC1o_VTkcEXPF
zu6Rcsm|nk{>+!ex;5VfWcZ6d>(SDSbJ!g$ZyQi^Gv*A@*L)Y14x?Ch?{$q*dGX^|8
z*-yoh&&yE_0>AiILqml?OiOX2whvQH17p_x206!UV2MIs?36=48MY&e<t|f5`(>_B
z(YS=9kh}C)qZ6u90aT82bwqYx!o)OkS0KQ=h&|lqNKgcqlf|eY`||tm?KiJhNvoTP
za@(e_H&TPLIjZ_HY8HKR@3Io|(|kpWfK63O@3w@ec<|s?9{gMDkPk$tRW-cUw%6Vq
z-x7uc9S!}7mxILfaXRY&in)J?nBS`k_`UzvT}f^6Cc7P?PTtp16wbTodw!6GTmY<<
zPy0IFgGSgx+=h(LVLV1P3kj(CML1pKN!*x1Gs&#P&{ZpYF8)Qa1Rko|6Ou{Epqs>L
z7u6$qM^Kb$*;9+AjY`Wpj<N<Fv&6g-qzi?pL~#-NJ5tzd6n~YrjB6H!d;$}v^Bb>7
zOJ{=K4rY~72CS5uL4nf;6y^dM#^q!2SPWCB1WV3}O6Q<B8$oi+w|uVbL6%8kNPqGt
zRpL3E=vZ|_-ZI$tLMv>IsteC%gM$E|nstPaE^Pnn9_chVa`$wUs-GpJ$eqRdMj%0*
zmoDfU#&x5&VF6pgYeHzwkqiY0*4NpwcWD(WO{>gJKx!8s5cFkpzKHJkI5=@hZCIH8
zhji(jNYdCB$+?u^l-5I@ypDn_f3>05bO;((hI&hOTV@YkLLr$5>nt+=>QTv|c21nT
z#S{S)L2h*-*WFP3%|Xw0jAyx_;VqWUj=___{_5j+ZA<faL<kJv;4ZGIXQetJ6e90?
zJj!ek#afF9H%+qSPgOSDHu-4jWhIjV60*v8XNurOLY8r7a7vmu>F>mfVSmqYdu0Sv
zO#=13%JkiWV__@AA`HJ5I&Y{Yimez0+LHz>N>&l)PzSgg&Ri{5w+3QRCl*ONoPniP
zQt!O#!%%b~c+S=kZUz`;v|#$n6PjS{ed~r+TI^(Kv*;PLq&BiZxp#=-d8tt?F_L5(
zscrtlSQ^%UnAzK-Pa1kUTjEv%U4v{7M4cNVEjiB+jkYSvL=U>6lW>$qwZMwds~O&2
zqf^jRSVxOcX>DDTnaF+~fDh8tNo*_!?!Q#e<?&u^=0=c0|JLZk-zvlXTT~^>F?{(q
zt`wdt&Xy$qsy=~X{kTxu9!IWM?N<w`dv9DaYUt-wH${dGPm&CIsg5JP$1oZc_*#6^
zDoOkLP2rYx(rLzpXbi7?#2LACLDFoOBpHn6PCHRW7Tq7+z_wk=g03d!ui%uMB3%2P
z7OmZK){C{yo}ir~BC=jpd`{bNB47I&E|EELhGG^U6=JTk!FI~MX=q02R`iL#FQvqM
zACC6Y)?jYv67h(pS~M{m=O#tzh>5vGp)rU$t&p}y9&P=`g@KkYSCRd~X=;)8695hQ
zXz$<#KoixyPJ$YC;UfiCY5<RZ_?emJ#$fjl+nUTkDXt8xjoyzkAgI*S!I>>Xu+<~M
z#P?oX2YcKZa$O^7l+Qv?%xy`djX#%jQg%KVZvFx%(T!VjCiSrBi+|+d5IA6&WUx3L
z@1$fwnWjmFIA<&x(zEN+({S6>P+}9b_vejWA&OOV4xp+{R%F-X!%92q((zf(6X(x{
zn|tS-3RW2D*9U@@3~ecds29K}U4_23=|^hYtaHuDm+b(xwNj`l&zwZ;L02Ut9}_AK
zhj!~$m`kGksuG;OpXYw_&1!HWWq1WsLMzH{+4oq`DC$#6frL>Qbmnibvz3pGZehG2
z&u(3OsZwV_VONuEts)xLtyvcg8}(%3Qss^#?=?^I+Q|0<7#FvyxD=&-np$*xB|bW(
z@>tZZG<FSR6IY7lbH222=Scw?id<m9Jg;n`8v!QpU#vu`@_Te+1&u_*6HB?6$ZjVy
zet4p=;+JW1V+RT$f2<4!MhngT3iX4pb-r*V4=n#2^K6Tqh8vlOooikv-_~xoK|hy>
z`d^!i6AOk%HwcfX+Ah~!l(lNhBY2P^63ot8NI00Pr0`M~?MMM+*I}4rQOvy`Arx0N
zUXpYCk<7^3FY=)$D-b`=@A{0_N;yQlGu+PvX(AdLf=52yI(H;HEe@x%GV{5y-6EeZ
zG@HfI+Ri|9B4uPJ@u6FR`r3Vylh)eGhyFBL6E{d5CW&J5rye$~nGMN`lT%g(h2nzZ
zta~-*DPhE5+g{{VMtN2l{cCL2b<~yLQZo*!b=A&v01Iw}cYM?+(@H(ydiMmms%fi{
zSU3Q5h@;Bcl-I+4T0<L3s%`}q7`hf5Y@r`l5L8qY_za;mI)pZa<o0ab@aX=HKh8<i
zp1CChbybw2OM+lC6snLfPPil5uUy|eZ(Oe7tl}X*CjB#`kNSXAy-2Kl<93QTzh$nR
z*0x*$rI$sqG<{QffbL8=1#`{n+kj8CotnM9)iHs?dDg<_=C+1j5aT2y4j%LSAGutU
zePbQ4T@eXrM?fV0O&So`3nzu?L+&uR6TYQOcCu=ym6NmGUE>=W<bqj8ct4upO}Zz-
zbmM%;5m@uzC70pw3AK`Vvvko&uHA<@HIv0=xC9n2ESqSCw^KGeNIEsBHV{p1gNoOh
zgp)-{nah;Y`vSTG5s($?dp*a|S4s-TjG8WUrCu+UqS53=qax<<5VI(zjB-QBatXuG
zLcUxsOdHUDL<y9x=yjbU>K>EN@)^x65V`_da`_5+3}9v+Mx1%UYJS@os`QwKp_oiE
zVJ87of0Lg(d?Z3j3()E9*{Q;*PcdCU)QLaw`^{<KkPDkTO89nw9O?IC+MQeAtgUOf
zSMV+yw^f$(p_6PK$EuaUJl=*QGh1V4<Ehk2q6^!$?amG9ae$iO%m@1Tmdz@r93)j?
zZ2aZWbIKT`9%%0#EM(wy%eaaPSq(~bs=*E1=ehErUg$MJ?{TF#x#Sh;%CitUGfa_v
z%<;C@IQ`lQMa%KXD4jHs1!Ucbm7!#zqe_;b;M-Z;WDz`qk4SV0_t`?4v9=;_bz2<%
zU?|y5ZloXrK6-ZL8-jLEtMF<Y@`NAdq^w89>pFI+<W8CEa6C}tr1Qo(S4*eS8d+gl
z7Fk-a4P3cE*tgi!w%PGW*we4xX*hbY`Jx@Iq91rpA>~9r{qh(7+7Jl~ywDjmZ7NZl
z;kXa>g2VW>4+U_AJE|mKITN+A<5ZT*{x#>kTo>zy7&=;RKyMS*IcvfFyXzEFq4$Dp
z6p@U$8>OJ4<x(%bhR(sLoNH=~Fm7(g0b5mxrJkVVDLC4U4f#*(OUeJkj(9}|F}nT5
z1KW=wF;B)i4KtZgpB)wl?67zIBF2-NH=))oLwop}92e=5_VrnNb+vd=PwbpU_%qe|
zInZ{mEnz|_0*!p9Cx}ZUHnbvTiSa4rt7iqIoD40y$sB<#!vs?g;==Z6TRDlRWq2<e
zRx^TO8XNXr<KiYf0;IyjwYf9Ce-D``Q%9GWIP!q^XrTm#F-TN3HRtH$3AI;1uc)mA
z`b~;d<+4RVnq@RuWF^MbIg7<cL_{6e=nV)ZNe*mzq|{mYpt{0JXt#=Whk!5H0G?o&
zoeIYDysTgg19HGeglv?Luc}-qifZc5^a?JE14b3tszToID?zpts}2QIEyRyuH)I#g
zonf#sVAK{w8)qR@fF=ZqKVPST?vY2ej$^~!hR1z`rv$p3;de=mN+QA|{9-@tR*{>s
zcyCMb=6Q@rG(*lNV~R}YqJ09$I243<EUr}+CmeW(Z?t~%KZHjQ-JQlAXd6|;PLcgX
zj!gZ(A-N+HjZ$x90*1HOwPaJQHK{`7V&jmH>xV>lavB_VCgy3S#OLoV%4x%6hbuE>
zYckTi3B^&8&dS`?gSL<^6AzvD1!*`!PBKd(Y8)zrrM~wRT;dxXiZMk>EqK(@XPk{%
z-<@6VDm?^q+`c6vGR+TO%EX8qg-vdw63Y|3DNszaQra<8RH#z*F*@8Yt|!Up60*7x
z)RwSGOis-n7t8C&0^PL@vY%MUeIs=8Vi9~)1CUa5PN@alX0om<2E32~=FaCU>*|(D
zRdh-mhR)J8173vozm##kYw-2viu5{Z*v6A7rNoa#P!-`*rpj$x8I~|rTt6@Bc&aN!
znqm+->r5KUr5XYg4R{*dok+drbLJ9V^RGhEhd0uf+*4APo9doWZLGoTYjJr}>*Uju
z;fSKY*aZYd@$5pPZnJ9glrk~>u(VLoK&{*zAK=@T(E6=_yojwOM^l-kf!CY+mCoZ9
zblqQCaxA?0lvJONW8P<p%~gvQ=2z>kKiVAT+_si@^^T>qeD1+KN1iA3e<J!lSL^-f
zag>r(F}rkA8^tic%W87uB&;h<*M9KZm(R0I*d0G(y{*^ZDzod4ZubJ>L&nQ_Ua8-E
z`BiRR`@f3h^qoY^8;Y-f_qI&g9J>@nisT?aUO$X#1DG)LeTK+byCgd6JThVC59_B^
z=;>dO-)Jl8Y%ol|jHD`*i9#H8mT@GIJz&lxXywer8_a7B*qx+D;bU7t&iU<fcv*VW
z6aWF-Rm#qZ7smxQFz11WtCoMgG~k5Pj!Cyk9n9c0>cSL+Hb5CINViW6Ka<xID_Uw#
zsN!mj`^e~c1<Ud6;ISOQsrbh5VyDK`%N}H3={`kA=QOG;y?&H&14VELig^e$Wr<IO
z;DeAoFzR5+=I}SOaOre)gb&?&tg(DEarF3FyJyMB&SeKvAht9Y>R7KH?1X!t1^KnY
zHlw~Iy1^cFxeu;SUr~M%F@(bB?VaA5@qLWiWVXkfu*v(y`4;!%|J$AEcDlJ5ET6>Y
zRi7ssQRL<Os)Sf=H=DGpkxTw6>r$7L95Nm|#dorv{hBg{)Rm`|bZSmAw=ZN(+@8Q$
zFl8tt7Ol$(mHDC{X(f?Sh9%Aos3c^ps~dQGokAFpbvdTN08F<kmPo8@9w_L4b<F6c
zPJJEB>V8!y=n9Cb;K%V<YbPe`4N>lx>TE6v%=1m2gX6+m=8&9ZS6&AY{AIzsZ!Ig_
zD5T5U7Q&Q_^JLE<t_Kd$nURj?V8A9R3ar#z@kBf=Un{d(Rhfg#`9)b0!8N>Y$^&W2
z7bz#rg<f)@cEM_@DRW37NbAv3rG_YC5Sl}l8%|^UBxH4^@FxcfzHICBLPW|}_QF~T
z6CbeTai}S|JjA9r?jg^Y8Q{ZhwBPZ^L=L)E{E~sYV{p8400qWn_{IK;W3H{{hfAGB
zee%{qIUCRr7(sM*%VZLSFhjYX*p>KizM?!tVT`;^0mdBVk}!h=_JN1$^y3Y^r&SR1
zo9CJ0PBkr=;jT(wszR0{q_+k?f_t)QNl%gsIGNe5u5jp@Mdna)g}%1P$BCUFDcg*P
zxhU$zDYG*Ec<~If?>nxeB3_-VjO^a}4ZJmMoo>hgahpyn)6yyEnu(HUYse$r>==Y+
zlxDFM_E~o1ahU@qVc&C;sXtNc_Loi1<*wa<roe9dAYKONO@-tY39!R&x)+<??=2id
z_*#J&-M;+Z-l%6JDX(G*LB`rSYR;cjFu!Pa!J%<`)wJ8PJtwwU6K=E)PeK>b)wrO8
zB*nBMt5s?W?U{lVx0|!`u=(}nTPG*=vv5~#NSf&jFb=n>IF?HseA^0dzz{i-`~gEi
zL~JiuX$0iK!M|A=IZ{>}dyEWamZIBNwdsSVicYqfl5>na>1BGn!NCA@^%AVDzPHm@
z1MCo=?<3x&=R$`(D{y8rYPH~<Z-cQuoo_Q>x-^PlXKnqRhm)1lySumh)6dhF!AGO=
zXQ$d&Mah%A+9{+=!oE$Yi^X4nb*PF5C)VuS)4MYGc$&B!^n)*8CyJ9Uxc9R8BQ5yL
zhhIKC?KodbqAIra8D^^=FPCNg<F{cFPS>v%Rz=^PI5}rec{31#@Ue;z{}d(I({DAh
zi1XlUWBqXK!Emh`%{OL$^YMQBxbt^*^YvBFdY@S{X`4#9C>(mFo#Eu>>BoFsoWH%;
z@!`Ccv{v+6Br-D0*3E>SP)-9~&~u1(^I+4G%t%=DclYsqI|DR=a2y}0#$wPoTYl^}
zvqk-Jn?x5JSp^7^X_}*iF{OlGOkD53)eKP@em>?J68QOb8&7NGK@PaHQ}T(+PI)A8
zR+%tJe&fK`ku+=O{maJ;3u@XsJtPCEzWY@M{^9Jz&SkCBd2Gz|hUf%|y;znR5kJwl
zIZUA!JtKgZ=euKux^*!9kV_CZI%>INXb8suSyoh~tS`Kzt7UrzY!jsIL%S*W-Nlg=
zkmGYSAku`89f@T~nCHva_XY4QJazJ1TXHV9U98t1vE<JW%NyxQCNF%(rr<AYm=bj2
zH&Ywv=}Da5`n31sDHY*lwifXKZGSz!1pIpTsP8g2x)AYcPYeHPTkOTV#{&t`Kdg@I
zC9`TB2Rfy>`e5?SYXUA{ao(RguLF@jy=$CJ+6kOGyM!M*uQxn2o0RZ~Fa`Ibiz%23
zZ3|#Cm(>go5IS=Kb8h=aYgRLC*D$H~Lx&C1QFIT#&EI*1eV2N3Py1-jIcrp133GUD
zo*!vd5Z`?Pqf(K*;@^O8yaL;;VU9?umOQqWJV3~hUgWIU46ScssX#;rohbYqZ$u3!
z=~$%Z5$`vkcX-xN+bYs4RA9i1a|%LUU<QuWQXSjL+aEitMOVk5f)10km8V>T$kZ|r
zQd}X@iWN~mJ5&2{xU42b@jKnQ;}roV$%3$k0>zx0LHQyz!lB&pghgK@Vwqhrm5yY}
zrm?EAH$&OfvL)aR>xV!$G$8}~Mr-4FBIsoyUz1LXzc-5ZqmFG<sQf;B?J^VTd<86R
z^n1uh_zZFYM><Zf@svvS;E0%r%k?X}wZn^>X!#@RbyBp}^g$2#k{rD5W9tPJ7INwX
z=GmrhRCQ6jKG_Ch2|8Kxpdo#5y|wu7qil*0Nw-e!@^P93lTZT`wg&&GV|{D^clm!R
zvdx`)=whvCIleAEM$)uzeG7a(&S|(8uD%P7t^HAT6*^r!k``pf>3**|Ww^Op{zm*C
zBL|GPE@J{Q5YTQF(EnrPK=@xqj{m|;_jr0Aa3pels3Y~fn_UuUpPRB|XkDxqn7Qpo
z)U|A#t;gKA6QiWA$tU1|+|672JwFTYK?viwrcYlwz9Y7YfvAUcDsw&9UZf_o(ci6n
zWw~EaOiS7Jp<{BBa$ooq*SJSvM6pmbw|u)+EuOjaY<EkIJyuI$U>9ujvQRunAL0%D
z?H(g=SfIP0pf=xj*4|Q9IWGgz0~*=69{UwnEUo#~msWCsl7_ggoe&@GUX)%U-s|b1
zk}59UCHl3KFEy4#496vSy{@bv-Ax4zg!YH5tP^AO_dFeLcv!Y8FJ}~<M1VVmHuH!!
z?)Gjv`q3c6+arx6RgW<5rLjUJZgPAU8|CTlE|7kUT3;2$+neocWsqgWW$0m1PL+ld
zie?SR+iN8`gxB)haQ@ZpbzHbv^4i$=XEznLxFPV9IKv-GP5KxmkTql`e6Ge}dWQLG
zsks0zf3!8<hl`?L4{KFIn<;T%K|CtHbHHKC2|!@2RUgip$aFe}3X4F~r-GNO?^5ms
zWL?l4p_uRC@~RsW5+*LiCT!c7RAbi7VGf4wUt69LPjk`<MWQH0tB!LQX?4A#bq4?X
zJbS*UaUTl3Q)G#}8Gm&JUly?`O3gfB5iI^Z(8d?5!vq%iUnxl2$TlVG3gW=`IdZN@
zWv~jP3A!a7u6Nl<;2OGu`ntE;a0hNA^OM7ILA-R6S(8=7Fc0F$EW**l<)KZAvz67h
z{-h=CyJnhW<uHzD;{;h5<R7q6aFg2uHiheW8F^1nA&k*5?;*FZKCrfpBkux<uOTJ?
z-9}`>9@JSNmgHpDHXEmXk>HWev60M!*0GV<L{oFg4X?l3cu~;+kuD4T+=AD=*WH)y
zMtb2<u_#0RqnDM-sG=<oTDFSfQ-;0ytXOWAB5R)7^?@GTUF!+@?!xS5NgZBw%YqCp
z6LY&^QB6rdgI>S9e)+QC#T5PvTMasWX(xpL-7Uc1)r%E7Gpise`iSC8!%zk`4OQ|>
z1ZmX*%@Uj(8Yd~MkPNCQan3VA6$Fk>T5dr%5n%KSf_-=C1~Kdeb5I!I32^uN6zJsQ
z=lLXX(no5gx@XHHik_J?Np)c@BP#Hec97C`$=HQt@RGR$tDkLx1gK)L4v{D3L8)}T
zE#BlNu#93)s7y#HOmGZ<kcBxFM4YTJQIwN4?WdA~kTho|r5ENP6B8MC?p#smwM21K
z^S0I}k(BEHfa<BFpCYr}cam<EwDGSbP9(Qo5}E)O$nD<C=LHU!J&d<LGov#Nv6$<W
z1=-Z%8#;@4#<dRKcmo8h<o5rl#j&Orx~af7yY$tjw0UF&O@H~RCZF2tBxddR21!^G
zpt5C_K~r0be?{=+7ZZtmI$~%)`5(6z2dfqqj2i)`hQb>NWWq`HO3O|lmBE!<BBBj*
zO-e0Da48~z2UCM`*v4~rkdqHE>;8ZyDarN{@lm%iL*tsN+mm$ixrj4MJhSOh60O3m
zYat?B0%dEl#UmVKM0f_)k_G;z{36I9R0jArYohIZ+kE)7MJdcOguO$}E}{-N1!6-;
zsOk(+TLkJUq?yIKQ2xrjo;C}ck(^l1vls%2!p31-phLdI5%kA7(31Wx-4#9Fsnv0b
z)}%j*_OZiQ>x-LF09KdeM=NSMYum^5km4FViZ*C@x*Giu&qmhM$i3%mVvC!Ae(+qc
z?H+nQKcao#Hsu8p*l+m4#xh_SWFo%Q{*#s{NNm?Nl*PzVS+&wmB{1#uN=;RmXe6P5
ze0$CvWQX=*lxZO?eJ7Ei7oUDO9c$W*Wtdv5EnFRB1nPE=bd%l&^LAlAXUG`DU~*3L
zqG%cC--i&E8yke8H?nxV%XmDF)7l*XH-$M{5FX5&h}s;fDy<SZx-KJ=+BGvViJNV1
zis#o!rw|qJF{Rt+BAnU~a@a>|LJ|Dv%tGvo=a-p0Ori)Ou2Bt_sHh1Oa+A2ldC@-;
z^=k5$Ds(crCiP&E8O=4Zjy=5WU1}rvp{+CvU|ZQJpBTIEAGaQ!i4L`r`0B{{m)`1i
zah%x@gg|hbGAw-$#{NR$1fE2Z7tGK9;7o>0Q4>6(m`b1|m?P%6zJ0O@gffQo=Z0v?
zUuum$2}^D)^s&O3c1Aw18;V3x#L*0Kl{?c{=3p$kw_}#Rw<r;VHnkSe=1zqV%zEAD
ziE2-ub|Ns^bmTgT8J-x19>*l+S#i};JZbgs+b-~;`rTwFSbG~jt$4k<yW_eC>oJQz
zVUza_&}Of308|B*s|E*eH5QJEWX2x@6ig%%pRIGzJcLcg=n*1Z!E<^iAPnw@$Vh4G
zA|{|6e+9A1Y_-NsYH^KnL&L$-S0#8B_h~D5ow~&X1ZnT7>rxc$6`YqNoe7d4YNYoZ
z5J0J!?dO6if_vmy?=IIz7Wh&Xne)Iuu`7JVcQEA}RVnh$T+3J{o#%$Dg<s@XFHW0B
zRBPcs&o+#D+Xckx%+#T}Y)aTB8uw$#^s0+~$yks@nu-h>xY7ow7V%9Sm?V}}uknoV
zD9G7TuxZj~ll_~Z@TDGyvgPnZqhfISdq^ikWSy*zI`CV@dP0L{Xi?d28+M6W@9mti
z--O4Q%wm))j}9m2{?3Ohc3iJWXM7QUsm^^0dR%)#L?d-ioIr6W$+_8Rv2EQ||0wei
zY=2q(A`ezYAbJgF@u#Q4G{~JBuWi+T>%n}mA#|?(LYlbE7Uqw_5j>omVtop+Xo5IO
zqUbu|l*;c-bx|Q|Q2#&?V+^UVOtQLVdJD)|8~E}sx%_|!TxTaYCEsNqr*GBfg7V|9
zI%*_j96(p-`+V-yqjAb7S&Gzk>+!PIz9n1ELTfHNv=Y_X$9ljHY!h(z4RSB&@h0bs
zGPr~;{;7&7HyBAO^|e@Bo=E&~6+Y!a&ESz9k7)#^?r()^f%5B>F!=<yyM$#MyQ?NQ
z6@8RiAt*CbzOLh;gjh(DfxjT^ZyU)3f3gKdCGsV7Wor^^S28(j5OWXH^^n^ZZV-iQ
zeqQjVi1c=G8H8BDN(f2U)MX;MOF1mQWVrUI|CPDSn<9Xyzv|;wBQL0?(u8pY1#97}
z(GKXfF&D?vJ1(DH(o|}j((=K`-=N;NkTR$VDE|Hf#XqqFUNxpGp^2NIp*30hYv96a
zR<u#hcvw%+4*47Qu-)$TfjI7aR<1Sb+Ak&}ow0V){1+aKDRXX<xb)B2^305p6F{Qd
zZbQ|x`8XC3G!|O)O1F3fNgW?ZTSreqm^wG6TUu{X)s68-U`9vpv*ZXmax_$mJ<{z~
zH5T<3(yekC+&!RqiLCiy4qs|RX}|}PV%eKUtw(mwnPrwFoyl16>l0ZkNRLAl%{M90
zsh7K1tSaUi{V^G)xlue(lwMgsz6C&T`rHD$zj9FTz?W9b4tJYObfzi`TB6}%KQ1EI
zXmacT^}g<#BM$o{H<n$SZT<OPL3WZHDSP3_*?n8^O*VIw<<sRS_Ui<fg91g<9jZ6`
zgULSJTeX6AA}ui?kg>nnOa-Z$y*eGzN(Zr4grySn*w|GzTF1U*2g+Xu;^(0K3;lLe
zN?l`*Yb3dceqVerrO={i%1gjLh{*A*@$F?z^%*%FR_JgVKW_|lyFuaNpF2yU;u@L*
zm}iGA>QJe<bC`=u*sew1PkHvZ5>U~-U?wM3%P1>k9s8jhTdQ;aGpRaq9fgUr4U1Or
z4Ccqv@A^~Ga1ACGc3I;nCe-uNTzmTWtU(p&X46CI_4?mKK1A@1jYtcZgD0a(UaL;b
zZ6_Z>4Sq2tHqZa+ugKlk6+!M8Wu7EJDs>u`%qZq&AVlNFXbzN@_DuT`2Z0+UZ`!yS
zZs9&FuWNrL7ZWnGG-ZzaC3GB!#Me4NA$zDgF<_XB$PB?iLta}rK^TOby9`A4>Gz0$
zI%LMfo#o5A&IbjQQYWw0Dz$HtnWLd|TWWD@Pf0NZxGtF{9-~S-m^ec_Y%3dvI3bS1
z8<@#K|8SHk)Mx`rBAiCWI>NP;ud!lVl_$oc3qgzjHLSbAM=~52Zv|*byd#yn%kV;=
z@YI7XyGD=uWFWQPNAUfkYPa?U-z`lac-P-4-=jzG*%YvuFFDa}`fLfNwH?ypi412-
zU=Jl{=qacV9)~_|%q(srlMHD;p+fg!?EOPdgyn0bn&>CQI#3$YZAw1U0iKc-*j`{M
zhg1q+R!ysNDgx0}(Y&N<OT~;+DPwGLZvtT!(H?cspHTkbVTg?0{Xo{&IY9m#QWvNn
zFVlG5?M+NJm~cN8dTRM+KCg#a*ZZZjoj{&7a3vjRxDUbd?iQA$)KNC|tIt4726S?=
zqQPWVyg39@HEq>@kP4c<Q8zFWB?XMi#f*%cKP?SEhM63CKewwri9twc6LG={5r6xa
zl;F@}V|qfY9{-hDItvsMVZ6?k1lEywZyIBxoQ?XXGyQ%ix$k=-(WYK#NQPOlWcZEI
zim%v$vIytV;9f1=C_T0u0&=3`U1$!|4C~Q9UnvF0Y*M|{7vUJf+O&O94~JRc;>b5a
zC3!M^2mC<4IG8q2_%HDd7y5^69U^DoZWNwj+<tlaL@4J)74-dXla_$7QXFXswE{hy
z(9eL4Au6nkfi$zak=;1PV4()p5@z-CHv&>V1`IeZPtE<;Y_bLHiJJ*kLhO^F9BG#(
zDJa`aRu<wC;mwS_ci0M%_yurC&cWw1J7&>W6AlV;DOu_mGLulxF>%)^)AnxKN*LLM
z(ldNPu7iP}D@xQ3_RWyKh-n@*F$tyKsu_3;IFD~I??Iaq;O|~+wV7$%WlY$!cm^<W
zm56+s7K?Xh*sJ8JlUZ_qbTs$i49t2bZTUlM*)f;KI7XpMzW@E(-{3aBvG_z25^^7G
z6QxqP&D{=6u<wIh>KKBECL;3dG?-Jf_TEl;pYBtRq^28EuY_BOf#x#-@k4M<U6%S)
z9rjAsumWAoR-|m{bU_SyEU9I$@_kxNZt6DL-*&0m;5>qwcG2e!YI~p(5$FisKDJJ(
zLN2;w*nXN-nvOOA5-&d6DimKav(AMNc4Fm*Z{yDMrFHNTzT@CWYn&NI_W_o>Vv-^^
zN%$}#h;xn|^OZYxQxH7;o#oNh5|npa{p#m(`F&nsDQS^XzIfKXRs%u8iSVjm?1>c^
zh0Cq(n1aYH#Jkm~2|;oNsNeqV`O`b-#7!J%2B%z!Qdo}<PLqn0uG#sR@q?jvp1?5<
zWeKDf{eG%KJVO55tWyu`Ruz7N%DvzDeFW;awQgS|-QTZGCh%K}$NmxWVKwsBo+Dp-
zFGdnbo0}lwV*Mb2<#=ga`)Vc@F2O#-TLTsG@EE9|XBeH~zX;0CfZxS<d}LXL-I@IP
z-AwN4hgLwSEXoTq8HH#UXEFu<=<Fetgw^HsSSlF>!M_J&+9A?RQ824S^#72#SxaY7
z!HwB!Cg2zX!P4fV4flj(=2=O(z%bgV`d>qoWw0|Qesc+<TM(1MU05=#8@d;}wdB~j
zP|nFJ0@3mz|I5y3{(83J2G-Qy{ZDFOnH42LSdt7`k6c2+3_ins4x$RFy*4Fy!7CwF
zVer&0!TvB_t+@Lyh`%{ZDy{R750V{@Ij$Igy-W_)0~7FOD>kGOw6Mj}3%Z<w>em)w
zleNHTW1B+=jD>9!uCbf<e^n?U)q;rBRBCnUHzRR^6p1s8+9{Gaef>GG7-g5eb*u;>
z&Y**osC++ix7A<}iBT89i|=|TO8z>TgcF!@>Ql%6a>Dsm>nd-Hte2;2g7Vl*Rc+SO
zMmR7|ioB#KiMDNB;>a+Jny<J^T;VIQtKO}QljSAei%=RzB~J<tw-zGj_kSp0Nt#1<
zf-S8Mft@|l$cbdhDdwJ;gA_i4l&@^})>aaB;u9Z^0Y`E0SgA-&(#K8@M880f1@o#3
z`0%g>1+-h+t<m~KOKTjW&ip-U!JX%eX5lhLzGW!c0wp_t0*EKYKYMC#L8kJm&FjcF
z0mT1<uXBnKrHQui*tTukwr!rVZQHhO+qP}%jL+D<^FQ2|`*6EcT}gFkcXukOq^kB>
zUn#);Dv1T>gwnP_CUxhZ`SX%Yk5D6`S~~efq{@po8$vl#u<>5VTQ}8bXqs0y(P4ey
zr!<LrNr#X!9<e!9N`0ifJ+wTCnoU8}N)*k^pvEBq^|E>L!X?1Ph`Lew+hvjkrh!hs
zb;T=O@{rSqe}aKL39zpu7uKH*F+d(Iq0|jRCFbHUw@LT!F!PT3t`Wq<(d1@kZf_o%
z(~=W-^MFbf`~;WLOFSEQejEiyuA92Ypes_cbZV;C_{|t4>d4UGZu5L(q@T9I`}w>>
zOUHi1&+v)NkH7-2`Q06k8dj@iX&snzT@Xt;@c-r_xt#rdeLhL^?=#t}Nrr0!KGdWK
z@XoS_DQ6X;DGP8>LRJ-8a^|FkB;l;XGCE@@t-l5&>lq1VT_epvOcq(o!}O8?P!Pg}
zNc~uuDE0Bqig|+`WFTUuoM|XNp6rqlrik#@{(ek%&iXO;Ugkn$cHRb}GEXmJ_y!Bk
zOjQvacU#I+SZH`NwB)9W>d^#0R)ZG!=hYb1s1A)$&`I4P6GsU5>g-kZ>rjaq@k&V!
z!_${9!owk)-<s9++AchYXoH#*UnMi(4KckCMPbzAs&^93(dlGdZQx?Fz7cpo?eMsz
zGsc#Ioa-kcGJ28g8)sbkhggN^{#pJ~gd7HKV?GtpmqI!*VXSld`ox8hXfL4Ge?%r2
zetNTU^JOHgjx4W99JqjqBmaVX6zHU%2wdZT80}MeIHCHT2y8p3uw$8zd-4xcwP%kw
zN@~lZqwuN%0ZH$hdU#1<3V+&1%j`OF4oFL6@Y*{eORWjoD<mIv5Wl-=B~G#+UZBDY
z9V~h)Q6g$MQ<b0)YlZy*_{k+`@Dmh`<i(?mrWKM(S(KVA{h{>5N~^jWHg(t{W>Arx
zUy@+gTxUeKRru&EFu$IPEJgw<esOcm-qf&*Y$R4!sunfC&V3&s$wH@uuJ^A>v2<2=
z65}2WMLFrbvzwjN!mHhnn@cYq|LLDE>uwhojWER1GngnLZd>F~+zmaGo!>Oqp>gE(
zsj~F>iXSlrk-#nKuv2i+XwVep`MKB!7=VkZ>#L<mSCTze@ADR<R<RHHI-Ol!WONXT
z!dyVBIi+cMKToAvJ{+Z>DvY|z%>?1{v{3uF&0f+d?FROT?XRW-ob+pji*#=Rj`RM|
zEt$L2cu>6@QLPG1@g@W4k~%5Wm!gORrT?>#Fq^}<u_Or&bzu&lSW-QLRDM+uGnDMi
zA8a|_EP#)WLRRh8F7qeb(CqNNl{g6!@r}iaaJ;e{w{~>5I7u{O3==WU8-z-qM1MMb
zt9Ucq3`$VGdZ-cI;7iT-g790Bs6-8T3#{@}48k4t*{FQj+_k4>61V!X1k8?>#jltp
z+gQ@XN3FIca}xD<sYKT&mqPFZ)Yz{-HxX=fcImUz`#EsixJm{0y)K`S*cuYHs)759
z_TN+`MSZlr+%JJ6mBaPYi-L<E=~&qV3kXot5{tkUH#q>qdQ9)&d7FumhOvUzmxqXy
zWY%61Nd+nUU&PF`$05LUl=qw~Jno~~TVvv%$x|aYk*n$F=ehUc^G^6r21@GbVwM?7
zVvNa6Xbr3-I}uDquQQJL$5au4*oW?Vwa-IPlaXn<p8<Ke`vPtOcQND>0h47L5%jy{
zIi8hKd6$J3@Gu7O-t7!C5^$GMOwtY71ZlzKyFSa2G9_BKeodZ0$<~r8{B2QkUBn4w
zZiUTXDc&EU{V_ht+0)}TN>>X65(Tr8h_Yt1&B?zlnZ>FX8L=Uhz5i-;AQ-c<%F9F7
zP{bTXY!BG618Q4q?d^G7Ar-_=4#j>9D?p_i8}r}AHAQ_St3`sN#1WCamRT&+2y>Uf
zs&G(sY@G6esZ^h1%P@1@=FJ&P|K>sSQS?+l0FqBM1V0wU@X0W?^rDfz6Zk=j@HYFW
z2B%PVJh8|vT0cS<jE-B+0_6Fh%(Kx?*l5w1Ki7vP1(TQ>yNSL<XhS7@prxj5Za={P
z*sdE=eMWM;phSM6zmZd9w;(VuU9N}cfb6ZPzK_^)Dx%kpOIrieJ1TK%617zWJ5>o>
zvGVL<_ZP$DS8LtJA4@#cnzk4~RQmn7gU0<t-MGw3-93{mejC`mEyY==HF9Hx*ry2%
ztjE?7vKOu`sYHe18I~JdZ{S`%s1v{39HN>=Dp|9jtp+<UTBp4wCUhDO>fSv}i1&~*
z9(ja|!Z*w{q>7C*88J4r)1$iAsD7rd-v*BoBfbnvfrp)bK`QRsr+*ar!MpcTuKl~a
z(L%(_QD<v0Q{@s>m%5f*jH2q4rhZX$^{)mM|0`-;m087?%H)@x>|3h!CBn8s%>y@|
ztVoV+SA_JyBV;WUtPgJb?$$s#p_z%CA`y|qZ|DT+nty?Nb73u(qUIETtaEi@dT1W_
zs%U*F0~Q7mMZ1rm?y?<NEKs$bAuuC}ZWa|kC3b0_@VEFu>$}O%6UTlk2GD*M-eGhy
znK<{5hg_39T(~B~UQ$DEWzb0iLyp<fW*gOJ#?&C65Ju0=)4Sp0?6cS%LfM#YT16hF
zf)pZn%3)GUXOsMu!x#(5f^@cCr!e?bQJXUl)wtcoSegTs+8YXD8x+H)Ay6|^GrbF*
zasnxf;W0JK@2t5LU$D}Py(MiuLC8W{vjun8t8`XZIg#vli*Dn6;bnf6SQ*#lQ==p%
zMlMAUJ{vat;!NFT%K(6{Ocd6!3<e&!q9xR2``^Wm4YglVpUu_t_LV~Dk$eHyE!Xn$
z)fN;A-(Vorvzk{eOW!AyKljQ`4MYQpa{{9sFKK;(VzV&#CRXJIdVGanuCOgXiAjq_
zA!4={xVF^KZKQM+7rh7ISB-KK5<y&mef{HQU5#=I_hHRA@aI{4vE(<n=`?Pq@JYoC
z-sJVR$wskrmtaq;T5wZXYc|?LauQ+S6pc$Z7&sFdV=D4o;+gWAhruAya9~zrdc=8e
z;r5o-I4x;^NFCMmAv~~@y1GF{XSBGSYw#J28D?gpHJx0D@LAho*nKsXeP#H0OrE&&
zETOII3LS#R0^I8NMrVB}xfLFR+ARuwSw^P0xt60EL>Ud7)Wyy?DbE)KGYNdUb<>uE
zPxGRXT!c!(U!n7+Ky8=63lik4L~k=O@&K~J_kT?b+>lg18{g?cRj+}q#ul(xbe_Qr
zd*Wtg<s^<)5#u2ySo;zpd6A%&K)1u4P&#N?Q8VQ8_|f2r7#$|ziitbHL4==2wo<X(
zjn~w3vw*t#el>iQ*&{KxJ7-hqE<jjV&M3qqn@JoTsCpX$ndjiPdzHj>x|7TZwOWd?
zXdRh;(xGUK);aRk4@Ow#F8#6Tz`yA@W+SIB#yl$IKy$~nZ_o(qPcBzXLac}(ekokP
zF9XNnJax@s%1N`BjYgeval!QIm`59YTGt~=ZXe)BZI0+ZJ))IkZpZ}oagj21ZX|j5
zcTfq6rBAx|q&t9tF!^LH6f(!4S$0Yhyk&!3Bj(0ol1o0dET=%dg%k2%2B%CutMH7N
zfvQp-&T+U;-na5+pZhzqR~<JUF1fY~zQQx#>6bA}=+bqT&fp;?Qf+Z*S&<sLUHVAS
zs?rV&U1y<z-R?$B&PS^!J<~Avq&0-}zTAq>Q8t0U6-eiYyl?{U*`><|iG0kMSkyiK
zgcNWXxG!j_G79HypDnc9vHft(1f>-@2G#T*I{EU59k*^R9D&8eTJEK5M{=?>%7L8D
zbVu`!bB1ZVhuDZ$!Y4tFy~J72{ADF8t@piVKl~^KoL?t92d0itm>)A%Y~f|-Qqb9Z
zI}VIrFE2NvTDKSGI4NKW!eGW{5z|t7ZF-T@95_zowxDSdUA^Ux!r!)H<NNIC<Z8q?
zr<ZmpV+E$$3W;?GTCh;7Qno;i3EwtzwEeUUC;J(A)tE}N>MAsK-j;PS_uSmd9iaLz
z%{1Psla>X8;k^|_5%N+yZ<xCmXNWsSh4S@(0EI=kK@GL>Vct#aHp%pj)s4zT-W27Y
z1mn<O4E1k;a&9c3dcf+0+^J)*IYE^hLG<L{+pb1ctyW{02Ugu5tIm2&cB=@kRH}zN
zuJ!P4oF=hNu<u$$TkzupCw*?R=As0PY?W#AlBy4N;5#kp=1+gzWq3<j1dIKWcCbV?
z9ntcZQ4r{GcpF+Vvh?gZyV-NG<SdZ%LO7WTt-1ZrngCQc{_O0mWu%?c#^URc{SDqh
zJuaKPN};dS`r!Mxkf1wI=g$Q^jE%OKWCK^kt#k1fzcz4M3~x1ivB?sg)Wt9}s5uP(
z6}?fLx&2L}Kcjvd^j4{m+E*lRxyi2DO^3iHpwtnJJ!{r5j%eqwlTlFn<DpKZ)<#Oi
z+Z@|Lf2U|ujzPZ&Gf7cT4@VA}7uU_rxm<PKj?yK|Ih)0@wDN$N3f=?KZ;S4ejygd^
zj6Y9Hr<_iHsGV(kzsoX0vrsO4eJTo>)@m=3ea;;S87RaaQt_A|j4WH{Xn(MC{S#*1
zKw;!a^i0&<#ld%L7yZw>I0rLV|G38W5-m;Qvsm|rYLC&x`c6h#!29d1lC?9MZZD=*
zt4~07KQ{VBBJ-b<tY*5larf%l!v2_j9PcY+eWqTKThM^LN|03?-Cua5wMSoUT-?4c
zjMc~90gG0O-*wx^>-(^S^Wz1A&g#bzXf{&Lq_#`?OH8bW9c~_5aG{wqT#6PRdx91F
z!2p%1xP^t6GE}_MB%W<1igV}0wegIX@+77kReGb{Cb_}xGTz)V-HMs*sq#2`|4{Ad
zdh+D(5=$d!L1`qrk}ru%z%UjHq(iKD-)ft1?ks1qNKoV@e9fB`SifFNSbDnJJ@}8I
zqM=K3fGN&2aq^)iw=~OmX{^W8KrePIJsQB1UOhNVmhM*zN`^i``M4kOKxQ^wvsZpt
zdNFTza`B?1GsjzD0NIua$4=FcqNTjTqoN^F1ed5^qS8-0POeaxTiJsA!h*vxKOR{B
zYO^-nCrc;KyG1*YWBCFUFUQy2<G-)-r`yBBe?-L)*IvY(h!N-}lX$C$yZiqh9be<7
zE{m2H?Ehq(Es{;0^Yw9b@nC1;(g$IhH{qNe--RPPa-ozi_i=nUxMKn6EZGw8OP|%+
zbRY)444sXw^ov#<`-2ZfO%=5fxx@H|%k|-hMw6~va_%=p72U+8ZaSBQDE3cTXpx!6
zPCYp*a1}%y?1cqQ?E_HJuHNPcojEh`@WBl}U{{;$*%eKlweL0_TMdN>J4!bK#Zr_d
z-#t3zP&o4O@bYkd_3}lYflWp5abm^9%Juc}#nBZe9UL?K6$G*oL0DxVgv+vXDOiWA
z9x$)QPWR8A1qcR&lb%tpkyGafavV-pU(dJ~E&Bc0HnX)Gx>y5=O7ConSU2ORcID(G
zx`~(Fm`+K=rE4#yYpNRxzW7VQ1ZGEidbP(<((AKS+E_;@UVk1R<+fL{2e6M=TQ5Pm
z{J^X4zqtj!yCeyzBo@R{5S^9<{Hw8Zl+zJa-Kvl+W_tZToA!5y0o~eL2tadRtqt*|
zh*L;@^dI*g(lO4$FqIHmrcO$eeo35v{!b>wik;g_t>XqiMTqKr@XLAVJCL=LZSHq)
z6AL0K&AM<c=N$8x)wbB$5nE?0Df{1O9hNJI*#6AG*JBtB^4*Tu1;EV?ydnK)xZ#sW
zIU?IRWpVi5dD!Ri0AMHWB1n(OPXXV*BCG8IN6*t{{IwQ*H;N(Bq8nwlr}tqOA43Ox
z2>iT>nL4emKj(4k9bUYIC}Yh?T$y&yu{Z=URtb)LRn(xaHcLxJE#H}_NjX($5;SJl
zqq9|N*l$_!#RO7K0sro((1p(SMIcn{4tgwSWD4Y9q#?IZVn&EeMR9SYog-9B;b2E*
z3=88-T<eQu7E_cC5Q??bQd6j=A9o-8glL~>QxY?Q&<ip!)z3)q)qi{_7J^}n%+@ZC
zu5W~tMz|jWnMkEYt8m=KacCfFxAONd(znUfc0j@rdZb4}>HLZhdfd{H&aJo#dllXS
z5TEE7V)a?|aS^;5VYIa^!OVWD)&bU~VfW|XgzxNhkUlAIuN~gvuN()Pz^>OMa@oD7
z?rhw;i;8aK^H}9nq2F?%=RT<1)>dqkeF|wk!~c$zgiL6>8lkTES+wnsyIB34qRCTe
zU8T;FzD{MFNos%8=+&`D7nbve7YcspqV!nhi7ZHZVTcYrYog=~l<hKLc`u>E#}%GQ
zbO(g;i!H<z;&=at)%c)z*K?bN`&x_gMWH2;aKFt{e9Svc8i3V*!-qS1DDa15fI+<l
zFL%cmy<r`-16RZLH?pS=f9MSu@6(T@y9L*~<^L2V;<EBJr@{XKY6*0|AO>ZCTa5F`
zL!H+;YRWyQ1D2hD=Zo@xGJORA%pD*%2RiE}^NdC$|0@CDJhB&6_=4}ZFF~w-k2lwI
zH>`-_RfG^Do1};m6J5Tmg+Laj$dZug%Mo1|COi|mg<tJ@P7tXyvDfuL(aFtzB_`1P
zM6Q%a1CVbwk1LKCirx*0?VclQ^;)zsrr&)5jc_Y|>7mcC(2(7|_gzQvPS0#Ed;ZnP
zj)VR43J-|%O%ZQRO&~~-N@WLFJQVZhBzV8Z%OK-_iQ&Fs2V|t|4T!5uz;6fodvB}8
zKR6WX?_#V~kTXrsHk8CsLGXwTpfRx2G5|exzGD{wuNSGJh;_+crcgijW*m_vDe0~4
z{4fB!z{`AGVOTHb-XGL;mtYV;)d267#6=eYHUwELfDQkstyq7y`EVNuJ7DK6hB`2i
zt^o*NZs*)CM-rDk9nS>;x_$Rec5T3n=OPN$(EBSjf4O%>7Dj=-4XAlAF#X4(at3F)
zyc1Gi=vdzi@da|=$F3THolwZt%nV@f-SCVrcuZH|1IsQIPw#~qFT+$Q4D9qzYd3@$
zOmkpo+qA4p4W*bg2Qt}*-ueitPIc<N>EG~4iYak$;Wz>cNBCn_j4K}FYKJ;;Sg1#K
zL(9?MW|5FvPbB~~0T)WZoD*!N=eMRNcxx!i`3LjEF|_{H0s~k8Z(9+zxJBMOafNH6
zMLV`5YkmL37o>rcdC||zW9B#gi?Jj)vFt%%6@JkoSCM1N5M#xqN`zP$a5mhmSTzaG
z8V2e7*L-dSmkf4YyBkAi0A@c*6%9w8t;&F#bX9<VUCFPCSfS=%Ng!Y)>Hy=nTp?iR
zJ7S+WW6iiDoPi1ax|S;_jrPEl*)Rs|qOaSM;>wofv|P5b<?PlNvVb~tdvI$KyzRI}
z0rO*$ov{HoB@oR2RNm4PmM&mXGWKKIvYJ^2v-kCof*~`W8gw*Xqk9`w`T{IUu07QF
zJ0nfmwE;O|m&}WS_r~^GqZ<KN>ybmh@}qu!RqdO{3<?n2HU{97CtS$S^W=fwe?3dv
zY~_3bkAp=r&)c`JAnf|Px8`iKkUoG3*cvgN27LOpN-g`lW2NJLR;|yug0g5C^)~4K
zuxl0NUszXp{6aP2Y-Y!Eb>T5<6ji$~#TRlCzCSx24i~VH^RKAHffwx}rNn`@Aj@M&
z6k%a}x(H%YGlC2iS=!GskfnDEXkMZ6`WN7r6Id=$_5^ZhfN{B+nXH`xVKzVC7$U#D
z&Hvm!x7h`teBX7S;`V8MlRL_rXB?@Sn(k+ZdJ)e-WjdJG5t;`J>((CNYN;{JpDt_z
zN*u972iBbk<k(Wg);T27gH8y<a(10&dw*&GTJd@4;(S-dWVh59bmKJyT_gz0K0hj)
z$)mu26OOaJ#U6--lfV`*-MWzKQ5y~!5(us=FjE=|XLEW%=pVqd-05M!Wd&74`aZ9!
z7Du@>Hy!Y|WCI>}oeB#6Ww30yqvLMIFc}8RQO$bmUlfp-0K49h8B^(G0tlU*S#@<?
z{)=5;o_Y#^R1h=WvQL@Mh`|F~@yO_?UYyGRTAV2l=Dsg4pAEmN@?4$XfrVlBHK~8L
zVCP%;GJY$5z4k13nkg?9KFZcy2JFzQD_+<7P^QLRA`|V4cP=~}>pN@n1;RJs0zvF{
zW;{z`_2Xu4QF8#}9Iz@Tm`%CmrleEQ4(eA8`@jdY1hG4rdYj)`vMLcJfqUsQXyx4C
zh2lJ;jo-<-^wtCO)pa}1JH_x7jlb+6E&nQrOba`(Td3}~PuVWP=)8PhWzCe#Hh`}#
zA7gYDK_c8J8!|HI^CaSt@!=bTpi}xd5<C^Xp77wDf5tL>clJnfTQ)@TzEr>(+y_&5
zM&H6t>;3Wqi*fL13_PVPfr09f?q1i0tA>sJQnv6Y@@xjbE194V*?SkqPNWfH7|%TR
zDW<1he=cy^sGk!4(JQ#q6uD>hr~G1hOxUZLH=$Ik@jN1<IyZOCVwv5Sb;pOdHqHR{
zRMN^gRG<P9^<*hy^4(J?<d=7mop-&6oMz$f1jtL>QhYvKXm^!OVeFKvelL_cbfKQY
z(w!;zRm2wt;GZwAN5YUU6uY+X-wW4zZI3Hxb2le;$mT@-isf0VLV&NO48)AgqEpT+
zxclb&$7L15b9H!Lp-j4@Hq*O#Wf;VcnEhew&ey};v=t=}vYGb)MfUZf{%n7(jVF~|
z-I3!?5ic*Ia6lv8=npp0^n8BPVB(hVf&<l#FYkJMJ<njFxdPm$uPKdbt6B7Fd3MA@
zq4c<QCBiklsM)z4Y=UX+RR<}2@o55YUmeDS2gPTb+1@-^vK-|-AHEiFGD{{QPyy2#
z!}?lLIBXv0iKSG6X3#&u^IoZLK{O?K_NZhnee7%AncL67xXxmLywnFT*aQwo50_;p
z+}tx9!;*=7VJ1y^jTd3Re}q~w%!<a1LpDfe``p7ja9_sbW>JV$gj-n}FtU<LmXQ(b
z;-!Wpdl`lV-BIqn|H?7rE3>&Tw<JFnAqJK~B8NWL>js@IZX!}_tbq1`YflE+2vJO_
z@-uy4Ivpbz{u&EEtBmlq9Hl*+IQ>8(PA=h(Ae&X1euEgTcsiQ}JuzQf-tgdD%OK#V
z5AzL!6txnPaX?jvULPk&qw?p6?}a{ulmtHx>zENg!YyvScc=J$Rj6lO!(KM>A0_Wy
zdYubRXstZRr;&V^-d^iSJX_hCDs!g*iea9<7s;sGQD0){ty<x<5s%jT$QNNUc|+9z
zVX(Oa=&r&9Rbfd-Tte2FQ?X?w{hh!41)+fz<+HMQ*V+#|ZvcE%L3z^01)%2!2PBOU
zL`LQd^EW^C(`AMNwM3fi2v4!d^lHf}^fh?Yfv+H^AoPf|$6nh$jww4EMdY8ER$^wN
zUXIUv_~K}V$aPrNO%ACCSylx&d>KH5x`m>Q?6EJxZe0OJR;`DvRs;G=P+HY+>!^h$
zy(nYZS!Pprv%^Wpkor~aZ(RHh&bNaT9mN(6!XEG@XkfBm`EKIHhA#J&7xC$-T?*=w
z6MiBbGO;mcAWh<o^ra<8XJVN*jt^BCM5++uz}Heqe~UKk(IRE1n1+Z!ws%sRh*S6*
zOy^1l4nIu-`0b8NfPOvS2$M!As4>5h+c*Ghw|Bulq<X%t084D1W@<jbT9z9gwp+NC
zkVSbO3M{=d?WmD5B$XA)1*}4FO<mDvRg`_N?(@@<Q9FR2G?O_ynmDb_e&Uc{x68G9
z(TT}U-H!k2v|_o|_gHjBKML;yhh3^X<x@29+FL+QB-*lwE%P-)^{?NBBzCyBLDS-|
zl@|Z+I5IE`iNmu8!^^{)Zo*BS@S|JjN`Px;6`QHIZY8a%+*zZU*5U=q8=8~nxvb*k
zv07K-Ze^0p=^wFoKM65YoeLqCZxy*c94tJ*cy!l{_A-n!GW_}r*>I(uI=#Oa^)N!Z
zH#E7@?QN6M4<nt($_I(AUflxECox<dmmM^gS*IvALG703d<^qCoIRD9^T+Kf?#9Fb
z3f73$b4LIh9jk4as65nz_0Yq!OEs5CSDTz~fnFO0riabvrT%$%wH*E7*17zCrbs`s
z^EvAqYPq%>6lUL@81g^^UF$3hTb-ZTR`Mi2vp8F*Tt^nwuzBFM^6FxWs_r9tdGJ@a
z>7~B3BeTc!XGNZ~g_uo5Wq2)8@AotuYc(jwx)lHEG=Pp$MZ1aUBw}e%Ep5Fs+gMM=
zwElu**xdo;$ES1XqQ+@_|K3YAV;U`DAnBui&mO)QOe8Q5PuzF&v5KscXvk>}vb)YB
zZrO9Mb|{5C+QS`2@B%{4%hedHTXU36)<b-&6>4Yhn!&opz{22RUZP-@2e1m2SAAi|
z*K*3Ez{-B^M@@GJRFK7B0AmcV)P|1nV$)-P1mXh}wcKvAqdk5Cn!OyN@VvSTo87Yv
z^Z8dcKEE?`2HKS*WjGCHYD?v=13hZ+-R4sx#IJ$iH3V1`)P@(2_o`=ZVi;{GsP}e^
zBuu}b0@(-T%zwM(#Vl?`|3@B#t*!@D;W569l_iw+kwKKhoWAZ!;p#Nyxt03~*iL@g
zyc-W~eE+WlpSLgk1LWqV;M1@kX<ZAWkhu+P1-WCD*}b`mmpi+&687Chdy3%Szw(Ig
z0(jBK!`<vS+sR7AIUPENF$)=@4ZSA5Wc^c@ps*dQLAe@vFP`Jve`Vn>1>sBSvW_4U
zpHF>JzBaB+c>%U+3Eq|YBfpJb>hW&z?5KG8U<=Qd`d7go1i1L>#_&HBAH}i5p8Q{4
zHO>uAO9`_&c2;j`xgoLS+@OcjRy3D}JOOBGAAj+{=7zr^9!09%UE@{);Tzpu+GbQe
zoSZfib!!QI+}W2g`8aYDa)nnoa%HS_Ns0Q-VZrU*UmPWWh2m#D7-9>9n=w?(V3@}+
zd@BMYg$gCwnJC`Ru@sGMYK_*Nn31Aa^U}fl$o|Z8Fos{%W-HA=IR)~ne7p^wrbxNF
z_V%5YnCJS>@Sj$^-#>u=E9uxic_2<>1OV{I2mF5|9k9QW4jTho3sV!P|I9h<Y?BiN
z<FXhKLT)~xrpC-+VY`Y0j8>%Kdma~sL*g68s*&p}#z+!~zP(Hc;#<pjHGP?HX1t$y
ziGp3X%|XwqpgERT=L3uB3;wu+HxoRPFN5^@lq9vYF33CJ-JDCK7(-HIUw<iSEpKj6
z2UgXC7o?z}2EJ^vNI)Z*A`4+7n04tv7HEa~e=yd8rqu<S5Y4S)^Fxd>=Qa#w{e82l
zgll={k)xKaElArIW^HF{-|M+)kVvFnhG~vAkVv)#L@vRl@bb#Gw)kWJ@COJzD~N%w
zfYn(FpIB%#Lmb*F*LAOKjKM|;ze&Rm6dG!)Y^<FfcIV$97W}CCgK|i|zViH}?`HFP
zFUBGAq9~2}VXW63+z*DUXyU)bolV>tkmEi6!I67a=tz)}uvK+~2YAL6oos9~aN@Rl
z^4>Dfd<u3W_}V3mU2h|empsaI)C>GuFM!7%YJDy0*-e(X$OAq7eQtt#u{rA01&lAq
z|Lv^KN9zyA->y3X`v3Gdh`*hsEU&60EUGUes3NK_svs{c!NkJM(8R#P$i@f^^1tCS
zdmQNyejonNc~wCg7z70X;`jW&2i|Xk#ji1|6TO>>A+3ppF|ECw5$%61w2Vv~boRDp
z0A94gixCQP;;>Ly|HXopln_z+t^NNi5MaO8AwGkt-wM)RLemKV02=AP0=T&2`w0L*
z03iAMmF{}Sy5QNUD=T@=o*TPv2In>vKvE#Esq3tShGPV1)g)A_XKBM2Uo5WG4fztw
z@<CXL+J?ZW#Zuz$&w6{;y<E(DKhs;9X(nktPN%fhT;I7}|FXPpI!?2_t~<(fb3e}c
zo})g<O<*21l*h<8kw7#hAu6-m7^_L%O-67PRkEflkjfmh`yUV`_l4mS?BwdhW7PD_
zQAB6easFbftFNxn(7~!XBKl3qBdUJN8z{xej=QXZ3B48e%VX>}#@<N`67&_CR#2r4
zKIjzcqHGh5ZO{r?FM&GQGmV7^L9OAaC4;e4wLp5C1Rp(LTfo`EO>Dp8lr^7Lu8_v?
zyMB&@Ch&1gouAiMM?EBsO5^a)l0lhif!Z?7JrssxM&xtxQgH|j$j>LCbrytqBHR|#
z5)d}GLcJ#~Ao^Asq->$YufT)qeLY_(?S;BUVMD>f&Wr1PFE9uMu2^bwaI%}JH~DF`
z>T*pDJ{;8_HsKcT$8SM6aX3gtlLatpnUK;@TT+hhYAs{wWnMLVf8Y1MFaD^#`l4uy
z<(c_AIUzUBPTu7LW9419L@tqpI|F5^vD8>=9f;o(YJ_7trw>MMZsI8Rj?TrYuYT-#
zIJjNy5<}|C8@)(^aq#V2akA4J1S+G<4*B|`A!LIy&H+}0ih9UHgrB|)CpX&&a5)&*
z)9lw+CmhEWNOX4$q3b*?*KTgQ$D+sezT*IQGqU~!+iUa=(Ls{0gX-m@%6-rgw#@-<
z!Gbz#L|{sAA$-yznwSWv;dOh<PITQ7=yboIF>~m0klH2Y->bKi9w1TAaTD7>>Er>%
zBOY-vYcM3l7lvX9-}h;u9KT_&ruf9r4Mp#a)@&e--S`+Wjh%APJm{hwuwc)Ti(;@m
zw;L3pb1$}mpE2Ob!TU-C{j5%Y3j1kjH+Q3lT{T=1j{>kqOUz&#G|x)6Y1a;6at92P
z%<l4IG42tY!Z+~tlNH#&3W~xu{~9kvekFumZ|d~Mwa7DH!Epo2Og&1Snt0L4wnX^(
zC$eWgyKCXbziwuHoZg;o1^Nd1i>#w7beN^0t?)moStwr~3<EMA8F-nRl9J@^(H{)R
zggMu#?lYT@v=JYf33&^(@~Ot$-35d&O;FyFpLSFSfqCIl_f=Tj;nEf2ur>2D@p(y=
z>b`eLqr}?iKk)-6;6oEWi4p|j5~*#S+^>$)uGMXRIMCS4^e$Z@5e!+i@u|c+=(Y~s
zqlkP%tS@bid>I_^HECQNKX)QZhFI5AIELmZ&t@+0FPOAM?%7m4fO|T<>Xi)mh{Ip7
z3qbH2puah}%fzDe<W2F-NwF-3jGKv;foh=iZO<dL9}HZnW@&z0R_N9-_CE<LeaOo?
z^&KO1NZM!PxRT2AyIPoP+2dlGoDqh_wt~9c!&%7Tf9kq@ipb6=p2jJPE6GdToO}65
z*8`Q7);Bh3ozT60WfsEnwivzjs$=ZeDsBuxBhk>ei+pPk`P%W}vRY=!hzkwg;9JK~
zln}VXLTCf~`SJ3Ew3r_abrstTAq4HItN;-+Pa}8(h37`QP7ruA?aI1Hc(>{z=nOMJ
zX$1IQO#a&EkXz7Tw=beAwxT+<a<<iOKiPCUV7h_1dwV}qp1YnaYCMXWQ}?Bz@*<@)
zTMC+&qg&R@kX_L{gRb2}wXtoGUF+&@DLuL5^clFwS^?8uU?7gaG--D;gOicT%DEP+
zejI<sSIdppOC#41@goIGx=014kObSdM{*NMN+H(2;_K{W>mN%81&rf1t)lf|9pM;y
z($?D3W90cD#=6h-I~>6RuiWk4xM&NC-)JjqeB%YbHnNp_|Jp`-ymgt#nlR2}-<2#i
z@m7qLc$6M<7V8hPv#yZdAtT5ZBUZI}qp{c-I!`m};H#a?Y3hE05Wj-6MqvZ<uo9jU
zVYuarJ<0-Eygv@tJhZOl-yGdGrUc&NH<xesT>u@__-!aje!mWVZ}U*_(((&pU7!SK
z=yf@_4m$vw&)%uIKItZ(#Azh|G1BP0YFr^51}SA<Z=XMFxZ5B<On+&W{o9kEr}6e4
zndVW8SGywKu&D3jE5GwSBzGqa<38kYv_vj?LEq|hAv@3N=rt52ndom1C`+=4qhdCv
zrTi%0#KABF;1)fL!?kLodzcsuG(0~d`_HNq*i_~amF?lMGrqBX<v{D#GYyw}TCS6Q
zYmb+zNZ+r_Bz22uTC92T53l(MOW~G3S+_Y{Nw`vX8K?7kP8M}912ev|{g;7;7F}}j
z8e%getKRU9I~?3YA-<unVhR22@aK(GTSms&fvwlpc=Kn0?G`JZWcMWHeMB(=GV`!7
zJrRy(J%00~rKYe(hRajt;he_l*!1tXAv2Ycc;-Dte6K8Vz}$6kiB%UIF<^%WIWY<T
z@i}Sawxe>-`ND0=pm~SX=IV!?!|IT~#RUKSy?1z29B$Moo$eD3dFBjYv`~9<@x_d{
zuGkY&B2Oj}JNKwni<$n4_3!<3^s>Cnfi?e*T1rxs!145EEv+XO^8B4-YWrO!t1Nbs
z6I$vXxSleafLwzIF9$M{X!5?UGU$}2sVgzIGZas^fo=Kh6X(X{_F!&4hDS!H_{M?+
z?XC+~FCw49_O#|u1|e^@lOOYNNu^F(y-h~-t%k9bY*+*yiKO|-lk}jy!s0p0&~o{l
zbg0?uy1d(A!u7xhgzqGs_xkKa3&)1YSJS6$@}l=>^mxm)Nv4>-&EwCufK{)s$2OUx
z`T-67uqfg@I)d*al^8@$of4v-*Vkmv4`U#-@U8#_Yi$y<Ze9N*d#K^_^gom2X2FG~
zN`lu+mG4z)b+p}k2LqQJ#C<=Qo9_w&exq>dFYs{wEI3K36KnSsT*Ja;^aG?jRJO7e
zCfE9@``O5glXNE}LsS2(&{7TGthC!SkSg~G8D$2>gmROpQ=mvCMV$D$?vt%SQGPH(
ztdKkTq6a5&_jYw2BsW)a_Vxu|PtQCwq8tX1_QV~cJmQKA@h$IybRapSRX{MWt3J8r
z$TkXsUem-Y$V%JZwK#@&0@xJ5w@U0aw7#Kr)jV5Q$sd|A`?mLP?L#>+rOM}F!M7XN
zS*nc4JK9ft^xTv@Z<Ffr2uYxAezvJBleF9>NTFD?_6Z3eo8zG4_(|0p<@T)8TFUP}
z4ZttP9ydEdzp-SMbH=jaJp4FfM;fO!Ng@6_OeV6Kr`^-zUOahFMoE8^DtFpyE%AiY
zsDx*m2D|x3laj(={0v?%lY>DGvQ_CD2u!uK$LB}IRrXkHL)j+HKcjZ=m<+6cvjaM=
z3H81mx`uU2JfJiYM<GCCB7%R{;HnQlH9F4_yZca#VR6q}yh$O2u&R2*+pZlHUZ2^*
z%=Wr_U#~R$qsF+)j6E7l%R2ADJ*_=h5pDA;$G?ahvrSP&<U^M(2-0jz_(7&BH-Ucm
z4e6H)owJ(3`Cb?4FN8nzw{%resBsit8$-R8)%OW`I@ouH8~TGh-k^aKlI--<r64JG
z_;?use(o1M<jJ*1swnB>bT8L{D3irh+dXF4Kk%YVfJ}GaF3+O9vl--Y_glZAh}<z|
zcQ-gXNR&3)ulbgg$F@XFyOgAV$V&Y)S};AOGDHzv)kBE#R>6s;aw%|{n>x=g>3Hqi
z;x5t{SE*_4wc7PT8<b*=)4Oa5EW;^oc)O}hPu5s#3a)QGB*5I=y`LqFue{+B67j4^
zL{9@CFqrO_!H!?(zFJ?`UU!?Jo4O`GeRNhC&*7#-AsTuCVB$j`9b%AZayfbH;?nh~
zF$#zn#E(;##fhS7^>pt=$2_KS<8Al}m)?<3dZArH=3s!wif9ql)RI#T{a%}~*^}$e
zYUMXSI(_Vm+ffX3&zs*hS@?C&hb%W$QB`a&Q4iszQSe_n<788UJvgA{!)g;{ZY@Iy
zHyb0ksU#YR)XlK&B^H78?g@GwTF0Z9^?1qbOf0P22eL?E^KvsYDq>~#@j#RG1%}zX
z?pf(6_!a;Vp4WjA4Z~;b2Nc=ScU-0bcBK5tN6q49T_y4&0^=teUoLyC0F)v+d6?<7
zb+>5|8jwmJyx`@hxw)1m_2D61@POW{orMT5jqP}sS#h(%IVc2+h>l)>!zjQI+t`D8
zjRus(HC(1BP`d^8>ISy?1_&XCGH@jn^E~U>Ffu%jGZ#yA4@#zt_FIILYJ#>~LGhwE
z5?J-)PFog&QU=Cp)oUpuE;WC06)`QEz(~GWhp6~~!j_HA$qP-*&uJ&yo~kr=ZVMU^
z!p6I34;2`KPPP}+YcUZZOy*PncIJP+=CP^hu=A}n;5USs3A;5kK1!1#7;8y4PQs7N
z*Z1`_b{^;B1kuF>fa-|@dasu?nqD9=jZa6xtfO9L4Mu7D-_*_&9W{c(-EF28Zx(0$
zk(HVM{AXjxoO^^*Nv~_Ys3y!&SVnHcg|<H4a|ulymA9ek<0VOg)M4PW!PGwbBa2jK
zLmpX@_3Q>g7KjM#u?P^x(or?4%LD+%jqOz-z4Z<YyU~g?57>MYFOP`t;cJ$%_XmBa
z*LQ9FF`@%*3VVI66!Fldtx^%=2vnZueF0K>xDIw=N^eu$>mjr>zqW-sq~<^zp>%h>
zbPfwI(HkD9EYem*J0b$Gl!TLa0`1OwGc29PH?t*9Tqx*MP0{8`Je2UdbRbInrOR8U
z(5FK7ko;F+nyseWy>E0bzV$HB(+qW<{J1xH!Z}r?4NpPrG&XwgLJRd1XC4@Jr}$_@
zOY&~v1YY`hxjiI^wBHyYSw{5iL$L9wi3fzj_|7UyI}mogvxAam^Hx&yU@H;-N?x#H
zYI$(Nk9uf?XB<}!C4%;Oy><AYx1+DWf;#)s0+RbEp6tW8an*I^pY0YdHkqA#m~Zq7
zC~pSlzc`l%c!ewpKRQuYBc)KrN%V8+*Q(}Y)*Tk4O~XTG$5!da2Ov7Wi`@Zs=buml
zuk;G>#!B#gFSS?m%DS%0|6*NBV;N0B&uj;b0nLR8pK~59{g9M{JI3h`_(wu;IgufT
zbY2*JqC5kg;x0_zP*CcW%`HX-`||JG2O<?%5^WYlG&oMr0(glxYcR2N-j24{<>BEd
z9<#r+mT+Bvu2L;!Fc@H=sN`h+8j%bq-%iF3EpV`ji+7+XhQI)x82+JoI7N%7VqO+E
zhe^%CbIzW=y^8C#ecTsjb`aq+<`ZI*z;H)TtSXhJHgY75Zg=0o{nJwbUWELg?WUGW
zgtE%807Fe~18nbdNM~kvYoNY=setj@4rG!JXf{E^$UHtS+81B+#ywp*fW!Fxopw5|
zL_E&)Wa}cdhv_@u1_;tUubsAk3wZn35cD49ES9o=RM^z9F&&MB%^5#oN{Y=eeVlPl
zIBP_Xp38io)6@St_WSXs^fGSt)y^Ese3M$aJBsHkk$jV_KTISH4My!8ik(X7M*RCs
z!pc0{7FGz6nI!0q=KX2VUQ3zvXe+K5r9i}g>uqeLB%&uxm?bEFVk@G@iO(&I+nEJO
zQvL@j;7%t!w#-b3?DeB9M!xd)l@(SJE!8Ns=A1G#x9O(Bub5ytV`Zwdd3XzHWCb}N
z<~t@{k|KIz&gotq<gyeSI~soA_pqV6(xy5=<z&nu2W)o`9(&Z|03jI{=*E0GO|zzf
zJMC&Vzs#~mk!&w%7!bW(P1~ph2|Q!T?9Scb7sx@j;6Y0jS)4h;xSYeZV2Le3e^gTX
z{>K~^WfGR#XTXNGQA=wZ%MxO|G4rO8oMdZcdVp?gJiIVke0h<ijimHUw0wrk-MK=F
zEYS+Qj8eVUY|ca!t{?6dvelE;5KvPvM#72-b}L_@E%dkuVCe%SZ4`jKm{T;FihF?C
z0qCtU1_OuXm?$%^?=#`X2tM~LQc+IIIXd*}Ly2}K69zweTZG~K!<eD)nhr8lUtUU9
zm+NwBN5!%Py5!QoP-k&T+$1j0;KVpRiym+&niS0J*KZUg&l21yAp60`>J{Yk3wgA{
z!Eakd@#%u`tJgo7iXjqz5Soz{$IPsci}U3`vr0OX6)c^VgLj6yyv!2Eq+Z>Vx0nJd
zn|R8NJxrF=$#{cyjT>awCK-~ONZCljJMcDyJtUc&eH9c>v%U=sEHzzS_wS~Q3HHLs
zsKt4$-}FVAGb<3ST|gD*icB(mFk6YErc+Mp-ftR91X{FA{;K%$+`mF5^}ird393TP
zfkqHzfG*pyXeI>T9g<6c&uw7hhf^%~gxEgj)Ie?@tE^(F*fv{tUw!h}oZEyEWmXPh
zU>OQG<e66fq_ve^e}cNtB3nq?#3SaOtII7dIxTG`g1USP_Wu0r3cLeXISM!tQ3i72
zeLN2PW;V{edn;qVLTOYQ3?`9jdH@a}A)9;uCW7b50lJJjZWEb+XbWrv;vUOPL~tQ3
z3is-BgV05-<jHqSpIYhc*Sjd^{A^RJq4kVK?$2J??x}pQ_~!8t7vJm0FNGT9nCmWX
z*MpNAlX&@o_b`|GZ`YpOj`m(yx<k74PZ+sJ4i6ETukKNzHZ%7#)Y*jl&O|QYRq)9>
zX^<vNV6l$!auSkbLY>j5S>^Sf3d3)-l??oJ_1VP5VRjPJU2iLO{&?kaVP9|FP_Sl&
zK(a*P<fH@DFkfeJ*vBjCxOwA$2eo*LG8cUz)byxHV(T9XRqqQ{=MXN$RKbL<VuBVP
zeZV$yp-SLNLPai=?eq^;1gMGT_}#QxD%ay!e)8LH>q8{{<0-CP6QOp&@MC$YCL$+s
z+_o6i{+S;%KwL{2HVp{yw1^qkOb^n<NX*_Jgd|9LmM?;56+CBQ9kOL4{T44J&6R^0
zZ!9~PLp8smpM7h68Je-%QE343{Rp$T@a)b<?6x4n&{nNX;fL&FvgF1|BZ2fXz_LZf
zI9oL}lH{YOXH-s4q$mN37eND?7r`21C2Oxi6^oz0+xd==oE4CMSU(Fj$H6ZSA{eW;
z*3J0=RKtjF)z(?RMUms%(kLNYpee2tra#Mb_ct1az^Ss-t~7wBFbfDUhutKFdtO%p
ziJ~e}>pL{n^mV>8R92{cd+F`OQ;zS<+SbGrqLahdq%k8BBH19QfB*TK&fPR5hG2QP
zj=VtAR~691fn8yu<D}HWv~blVH}m*t8f+*eTlY^;1Xyy1N4X3Lr+;ZD=~7S6Ja{5%
zTp20!5toOx+(``ucmRzYD{Xf~JWH5$1{t{syCMo!tsmyVnr`tQxizX5I0G7`6aevW
zSvo>{)ls8ZU8RyG@a3JFh;dInqz32^mq-R7nYq=XR4Iaojs3Y;TYk&9+zJZigt!dt
z+v6ajyj@05ZL770876%l9{>F5?6Bl!d585(kRZ0Ps3ZW;NBu>Mf@m2plN)!2M30Uo
zWWY~a2KuLj*)z%+_xovEpcg<UnY99>f)8?Hp<|czt%A&E(boN|G!P0#EOha0lS>Wi
zKR}NM2~{lHO3EK<^E%e}BlxJsne^8h8^$3E5@k0QL7=q~m4u~Vvb50GLr<c_7vl`R
zHt1L$$*qBa9?xcV1zfG409lzZboMA=So8voa-T*y&b6#^g$5>{bp(82ln(GES4q|J
zBn-!9I%WYO$P2?2-)5Xa$)jz#Ej0^sPewa#_-6E+bU2d#OxHGg&Kfb8E)IaEb)f=v
z`-cti14G(hG8wRF-AD_N>u_K|1_lGQh$6d+q8Su7!AvM|2pqDqKHgsrenKwl>Y}29
zW~SwB@zAKaZxye7?cOZzcF1<d@<`|e)!6kA;iq&y?0Gv?i#aVgL3d%B_z%2U?^1z{
zeH13bpK-`~8KO$|TkpmhpsI@mkKP&^$x;ELRN82iy%PbF+m&ao)DxTTxh)K!pv?r(
z9eSGld+;~%bel;8VmRhA@p9%Sh_*-^{&|}jM&{m(R@*ESj%NdGYEXyhk`89>g?f7=
z4WS|P*-Rk%dqJc;h|B_e&?9-31O<2r7KTk|Yk(CRBP%?CaR3n__?6%RMEB6HnlWO9
zzwxYSoxoKyUvi2A)t|z&%9=6*AjpI;c<X43fLa5A&V@{$3dkHJ-NQ1W*ln!i&Kgo@
z6h_MkqR8``5r=2|^7v^JTzpntnCE(C6ooQIcTg8&dK`;Tnqy_I2BHDta~wCnF8`yd
zK?>_gj|QkMjpjij0RK!P%uGFyG{^%f)|8SXY)mop3d6E_*jaiyYNwXX)Y1(t+}{0%
z9ola_t55dgN(95)%=bc<RULCyd%&_<`*Io0%Y!dXCBYfDK?k5gRRU0(B>i#sz~|JM
zf73J7%q3No?Ilr|fxVS>w4#f2NT)O(!<Nmifrc~~HUL^U=fv(n;im)z0Kog>6#A+-
zRR*C(&m@G2B=TS|&D*2c&d<aCzCgMVb^r?E&d}@%Omd03J8o8J>Y2)Z2Hl@9Q3#vR
zm~m!8fF|^(`b_3QGqoU;4c$#+XQ!SchCmlSCC0=_e6&tNA7_Ey@Ez3@(Z)*GlL@^^
zm>3E$z+%*Uc%;-RzSb{_yIru>d#2=rbod}<Xd>4=fD03*Xb&C2k%=Gx0SGJcmpP-q
zCR8LxDiTFYH|$xW2K&;Cmo<#v+8!idMXlX1WaAbOL8;q@P7yJUD6}qg;;GLrLwtv0
z`CBz63MQIw%O_PpP8vlMH5`3(c?Xy@CuTe|_X~6iB&zcKRNQT-rw0(HwnE39vlDMn
z>BJB!zHz6bf%g`@0jPv*?IC^7yI<mK{j;&gv_4R!hK4~I1wU@^)y$}qO6qP8wMOq!
z7CdIME~F%d5vUGjdPNm|!rEIX6vP}3m-yTMGBV+DnlAXSU~`w3$tN=C6c6;c1*!<<
zag8c)|4b)#DXC&>z#|}UT4^xsMBEeDmaPaNGkz3c{CsPIF7RNXKD-Fbvu676g<iWV
z(}8)t%09N7CY2V+LTj8=X{(+KosXaK^q)KPfRVEJr=d!q52CI3CHjmmgWR_{2y#x>
zir@EKs+2Oi&LIe6fT*EZn`~#S+6vvtJO+SZK~@EGC^G0K!u`sl6H|{?A>d_GC*Lh$
zq0LJ}Hdr%bfQF%AcpC{tX&nzUquK7iqtbQFgY$VgZ(pVB5zWdUS_D6ajhl>AKCb1-
z({W2wp-z2f;5E&STwi-qcvIRV;jOFh)p}Rrj!^(m$mg7NHN+`R9chl?<4NQs+_8)d
z6w6IC_Tb|-)*&ch@<q>L_!>EhKoJoteqW*D&tv|$NsKY5HGFYnI8P79zA`22MIjPr
zWAVCCqv#xS?Jp>DZ_g>W<5F87e(EW1*hp?5kC-_b?XzGqQO&(s01Y1(Si(0S8+f*L
z${x6eQQ=_xxO?JKH5^-LFEmPxddT{7piBY)^s~_?kp%8Of`#w5!lH-W;g#0D4ik6N
zI7E)qQ!?Wo2F{n}Q?lb;2DXW3mqyw2C_38GYsvhS&>mQ@x>U<u%Sw%B#<Fa(cI#AR
z1EI8NDt|?-yW$}47>)TtwgJrJLiV^TKg8LisN2K?LlqG^5cFk27mrEQswg+C(<yu{
zn(XY4K1#N`RtS%c7`vt`-18GPBnOfW3Gx1ow8e_nbrOf6QO_T?@IxrWH=b<-zHL)X
zu%LC2Z6rMaMSd)C>D<jT7buL@PkgcvUy71yE)31j$JWIStIUl{;B6-r-)DfT_X_pD
zp;qcI81Ci{MtV9v9F89)Rgo<W@2=vb<j1mEWoGV{3JMHE<w6pt24Ul*X<@JDXG<u+
z-nu)D`^&x)r^GtEdoqRPv6;_>a{w@+iJ?KYLk9hvZq9`{r4=Jghq{Q52@1#ny`Z#<
z7!Du&w|SU{my!67)t!~8<HDxl^7Wm^`|fe(xTeXkneAgD4(|eF_<Om$E4Kc^1BJK<
z$00OHC2Y-yi!>J<ir$U<^#7{pZPbSQlt&ZP&|-S3o>RF5h82p36Y#(lDGq}=lX$MX
zPe=_>-eV#5Mo}CvI6Fxfcq)Yx%xt%`1UZvS@pMGJ_&^=8b}B6t7VFO7g3EgAEW?U&
z0D&NEgTvoxJf&E^<J(2v5{mLZMf;4R+xY57zN%b%L5>!uKyVP_Ky!2d<nwX+KEB90
z*p&%Z_+5FbYkr}mvF8t_b)0SvR0MUa-Jz_KXkp=g{A@nK20S0CfT!;V;q<|rzy@n!
ziE{#iUTq}}JFrhr$Q!%DBggNBbqHke--Dxwc&25m$o#W~TPxL0YL(4UHi-Jl;u6jF
z8FM>+GUclIdeZQ9j68A-9w>?py31|O$N#LWCv_Is`~-yg)5M{`9kwNxS-23EDPkPb
z^zaEP+zqz~D#PoyskG3%hu(>n`M{>6qY)eWKYhJ(bfwF-J{-G)j%{{q+vwO%R&3k0
z&5mt59otFAw(aDX{hjaLv(Fy)-nqsa<NfEE_0}3yW7VAVnNJk~(a)sD%8*m_=yY}E
zd0#k{KQMZ{JJRb=mtlT;9lS3{$5{9%Mc@p|brxiiKG<~3Tmgo&eJ@)t;mxBqfwrIK
z1V@(}l;A7gw||SER45|0b+M_Wrb7@u_ywfgnC#cr^GtR$JfFyK$@JJ1C^AOlv#w!A
z<)8scG(j}s7k!{l86``PB-A84kBZ=<tG!GEx&_;)jFv2j4^`7*Qo370+mrLrA84s)
zB<DzAvm*C!+;y;(#Gb7@<1HzxyAS$pW`@|LUiQE``+gzYhtW>HSo9GU5ZUj<f<6sG
zPn(f%Wh<Rxg?3u!MY9b`8_O9w>0(v-4!3f{y5gaZDD#Tk5pe+~(PCvEKZk|@w$@d8
zvpMiFO`W+5teRmk45G#Ddz^=Wi&DuOSAnuP@}^v`ipq-~v(1{r7B^+Deh6BONe$fr
z1`6Noc&$A1S{MbXjqQL4I^Xaj*ir|GL$e(A1(=JX^8Tv)I2rv#sjZ{X<DZ(rn&?wk
zOlmJ#U(q22pX7>*q^@`TCs<DSM`UP>@B*DP8>DQv`9jyy#6x-Wr>WR+SPR|<QQJJK
z;jb^^0O4O;0Jc!0OY%~IW&9GEx5-b`MLebSCMk)SzU!eDl+t8nbON%TWewZwHGDjb
zED3>pJGYOP(h5K^9Wyo>w-RxT3fNo|7=$PbY%DJcL%wrZ;%N6~g)RC<YpH$4a@YNX
zL(FL1ejCm0v9ax<=1>^gAKo~qai=uFP0}w?JIdO(&$sXA$uOdO--p^r>?($+6tp{9
zcpfcFO+EEx&z+3E)N7M#>Qb0x7<X}hlI7My+4cMOSb}5RR1qyZU#~3;j3+6y2~Gpb
zozN^l=F~xC8-x517|3^ccsI2+SBzl1Qk*|!SZGEOQ=AOLwbOwwqyV$r`C<~l3k>90
zvHR<{-ez-)u6Do|c+sA6i!BgAq{#rT%BX48U=ETEA!75USJqmb>T5@U!e^jd*>{L?
zebA~DFFUV*&$d-Im5y5piKtSN<;fb_^jRN`cx6{KSb9I{b2xH`D2ZNfnNZ%=osaW{
z*S6nc&CxkF=9(Er#q9-OHIDdXHUmVE3IC8nLDg*iSmdAM*WR5K4U|<zTC8jko|nn2
z-W;qmAMl|U=x&6_3O~|d#A<Y0mQdpxyc%RKePz01FYZ8*bsWxDW>vdN&5WW?Poo9!
z@iKT|(4D&>py$v$4KkDRo1h4S&~vid+m3=R+}R5bZBmC+B7X>b2S{PZtKFmwyZkH$
z3B)I~O~F^kgz8qGci&>@f0~E4zE)S3>YHWUES7LS&VtKm05#kRC#>RIhCj;3&oWq_
zFx^M&<!TbiIo&S%crDZT)NZz+)_u!?$@!)632{KF6`#|B7+r3dcMS=l;q02UCHCQ?
zE$?tt^r`aFww~^O<~=j>ej(EU<HPLY#(bVewS=gEH^}Su13(JPHxL=-0mGOn=T7!b
z#x{%4K28EDY3i3Dia%$EJC(AD@zF2|zZPt?14@cqH1Tz?Jx3k2P>m1M>uTq?TVyS8
zwLP8mct#EY8NYw$IF5DwULroFq8RGg2Qx)}!fX|_-LrE@;2=hPEIZaz7dXh8zyjJu
z#_YE^Q~@0E72spvLNYt_8=;+>REwp!^Tr5Ala{91NEMv0y&M+lw-ieE>GtG5l5IF;
zk*upEzc|NelMD(|^n+49>T3jGGb3S97#we=|5U)noxO0I;&;~9ik;xBl^TcjLl#<`
zz`V!p9@tQD6<nasAx=q;cXH3s@&tI()P~PY=E`%e*la~xTEmsQXmzz6nZ4Dkk_y1F
zUous5v+{b7U6^}gg<F-CW+>!E=BqsQ`E(g;AM^0Y&=(!yuPwIn3>k4?iN*I;INh>*
z!|myv0SrW`lYcT!d@)TPy=IVo`9dyrQxiR8g0(gDM3k7y6Bn)vL~!%#o)?RHI+7YI
zc@}NL!+;kTUWvQMuhBeQy~$9MW-VtKMxsGSiU&?bXcUPa_DaPm%RQ<a%qFJ%hSw*M
zetc>neo8#aavO(M<9ksywNn*Lc6&I8NH;h4pWTjZ;;G@qK65c3r3F24f|Ss745EDL
zQS1l~qm%E){h}ZfeJf=cCEl&4o3t07nsKr&>gPRXkQa+PNq7!<w2k%|2ro}X`gE^J
z(p2!8Pgk5Z7wu_L>}f+al}w?9jvWi3Lha^c8aowHx^8aI5Mo&Wg?_sCa^-;*`o7AD
zJ1YcL`WU}3A2?gRtSNpfwl{+=RjIDp-C}Pz?#fI(eEDM-hkn}73!%vmgvN9ZEZHe4
z=>^K}q?u6l_nQ>&M&K&FciR-GA=40GmF6>Icvq3%5#<E1`qK%{Nv>+lJYW>lVF?Yp
zEFG&JY#Q>dp{!M3p)MZ`?KdWhwAtVpRwG)xcy0#slU77o=JS}6$;_+KH52wDsfxeM
zem`@@UGNZ*bODP^@>4qV0$B+a3*mE9tA$iUMo%PnFs3i(5X&Lg)bK;mZg6#en0HZX
zu1w%`vVR1MR*8Yv;GJVLJ14o<s;bewv3Ut*uTXUt7v;=FhlSGM0@RTEcO&(B({A$7
zw3)(&UDu4Gkj3u3XYEE8R7mkC<_CHPpl^2OWv><jdtyD~Tx(Y)+C3Nxu(lZxQ<|}s
zoIEm0vb-#PxZ({OO*WQS*fPrW!9hCi9+8Ui7kCL?4|i}&AmZZ|wqVZbBlMg=(zZa_
z_QwfH3!BVf#&nd{fU-Z<#;}L9_(=!6Gz;(XGV&(Q(gpMZvfAmUY@Yu0=|<1Q?7Daz
z##YCN#xFc;R_NJ`-gVPzT$?mEd-AB1%YpY#YnTtF!3ehbHyKR}&02R$mCEDUDvEIY
zzU$n~q)wi7x1Vx$CtysI5f@Me&ugfSm={Yih_fA6bK#4hZ_Q;RN^UC~2EhzN4~IUA
zmpLm_MxE3%`aG+nrIaNDmOmF=Kvc+i`#)T`h!<fmbn0I{m~I&+fS8{;kkpC2;|xCk
zjFh_>Pt|MNwO@pPX;c#>ZScF!Idto)J_MzO4Yi+V5zmsNkt|mWs=XPpFG&?_$zwI8
z?P{yG^fWf11S%jXUREDkQD|B_<Jsv0f$Z!b_eHyi`O|4C)8_0$%nHdA<bU-gvLX78
z8lPwg?@;^Aw!AgT?0akhIM-nEowf@)K2Upy=@21&@cQ2vh8d(5t2(1jOo|daF3><E
zUl!(r_AP2i2QAMyP^@<cfjE)biMLfVGiP<DYMI7<;jW&(_+?*9_2h5)SCbO?h(um>
z8fbrPRMp*|o@yAf24eWx7zD2}E*oMqaSXU|Q`^j)#nXfP!DE7<S3YfoixOd&{UG_|
zt;*>>S-Cf|YbPSF`ugQJ*cmP6g{vEYE*6iCFIJ+0=-UXx;_(1-1fi~;{kZc6*el^6
zsTPRJ^^_yll<V^-CAty0aR^kNdsCNT9G1l<ZanHL4BG{nfd#qLCJSK1`HGdZB$=Bd
zAnDQ99RRm{j4)SGJluwpV}uuZS$VdeB(L2Lr$XI9{|vRwFfP#Pp5_>7S)tTL3p{yl
z=%xI$I^=#vByGlNz>!cbqy`Od<Tr`Eq0!Rd5B{Z5W?x&Gr>AQkD@;zNKUY<ttKrBJ
z40z(H!qcpn(wPue*e+c10OY!G7XP~o$xCis&Xa|Zy>FVDeTVDarCQ~u$Wz6t7`{Lq
z)=C<a4PZkK6yl!2I;OvtAh^IpS1|ogLgTIr&$ZWmMZkEDE?0P?7uK6{hLE>w?+Tfi
z!`{D$QT7&wSK+TsLv(8$#Bk%mx!GiOMQsZ%O5qNeD8%8AIFPlaW`o8Rx;#<K>yImV
zQ3yy4yJDNo2rnM1uNAv#X6Q0|1oDGp`sKU#GWT5^k5=U?HbqlHjXcy5H#67ECPecm
z!0h~@gL4G4n&KSa-%pBzo3sLclZiZ!WfD#O&{}SC#n5QaQmB^jjVAWi+Fs?Dwa|sA
zOnZYQzRJ=Y^syy@n$IvaAEmaEl@or;+wW@&wOvjsfAIPJ)kdG-W5XLF0`f-hcl$(2
zUezuDHR2;A8k6x8TFhMYNTy(LrMc^5<SfdH!k<XfC!@Xg?8BGu`w~e4aTmBFgkJ9q
zXp9u{-m2a_2l$JhDOn4N3gEHv(bO#AsSw=vEUP+Q<YRkG^~~qdw$Ck<v<G2stX`st
zYsgqPp2V)XO<13Tu%P)IA_Tj2J*s$LYe(uxsBpn=IA2$(x#LPypC^HB>MS!F1N6xE
z)7#X2aS!my!awR3%7`UuP|HSRZj3ZI+m#QV5Q?BFWapsfW>QY~)GxGJ{!nv=S<Nbz
z349l}#?D;%Nf6^?T&CQC7QO>Ck>*eL3g;V%u_VHSgr_qR{*wE~ZP2Kj)7%8$GEA|v
zT0Fe+cnxjnkcW=u(qGN-o3=aGc;0BLA41Ky%0e>8*OA7vd#OVpq>-|lIO<%graD6o
zTsmAk#NdZKTc89Deg)qqnSae15c>@dFX8x|>CTBqK#FQ1w5rFf^ukguXsJSSFMy+5
zszgnxI{R21qjidrKV(E4A$p7xNxj=-%VusZo?m6)0VG~*MXS8h9!NA#r&<h-d<JF@
z-}|ZAs}WzB1<Yf7QlC((W91D4BiE~n4PHh@qCTuoj_#6qP05+4K!9%^gx|H3Al{^E
zsglepaIq}F7rL~8+6Za)(V#nzn$7~gJBGCDd~yO6GSMIcz1BTH2OkyGQ4olai_dQF
z`Zyb89+j7MhA1n{iQV@>tFG)AovLYJXz4E08FHGCet9Op<bC6yBlld)!Cb^*CXr2S
z-iRXheIZ4eCL?D>TWaUM#t3OB0m*wD&K3x7<4wf-22IzN{^ABZ%Md+SP!g`!?gwa~
zEC_OoJkiECF0P9-rBeQeqD-edxbFeeEVh7@-cjq`bJ7--B%48td)pBe!;#AkjrBHI
zksoYPvJICVw#s%ksG*_cULI$s<b6Qv<MZws$!sjEWMtCg;y1<`C<xZ0wzmHK_pqe>
zP^K(VNPS{PyT?N1EvU-Uo|-2bUiaa%Ed?cUJ5Vooyc@(x2-m+qL3OReaLrkK55Cyc
zKoTN9g{uVh{J$9CpPzD4kWeG8&5}VhKwo_9|BKL#_63y@Q4*k$_$f+fXyah?bw$I!
zsQrnv?UQBFC=gp4<uz=0K#&7_KiG-=2`C^lvXCIa^!fQAJ74&WKkd-Hqb2}#H&uHh
z8AgJcq$THrc;+h=zsm_((!N1xs^u+Qf#plBD6!$l-Z&E&9sd|cH(LO#w_2(SsqU68
z34uCay~KPPs|Ycr?SE9+LYWrF21L%tCIObt(Wf3vu3WaWc$iN_*F?RCt!O)8D&@1~
z#Z*V9G!Rwv1O0xT#UNdR(!4(_vr_86C(&NV=j)d27?|NV)z3=gE;rsfrnzs2Oacbf
z0u&cdAMAJ!#{xFC)w7be&|tO{xUY{6D5NA6s>YgW%WOkzAFa$xw%isQ8I0_|MXV?u
z!J%;bFV3-h)<hP>%~#1Sh;@ofAJ``wtU#{1F8a40P46*FwsdLy(INQ!{nExjk!i4j
zTD8W&5Gwc3gjpYBmLFzyC$Nfb>Q%+6{iQxgoPcTK(krAHfO=oz8tMsa`dg4ryeO8f
z^6e9j+)Z=48gL-JWRfg<gyX8ycr12{gsw<w?)5AriZf!cM-k@RHFpHi0jJWJv~dIG
zb+P((T#6w9gkK`n*F4?`A5HNY_tg0&)<h%!Dv2IkwD^m+cHKCit>`k9N@Yf##iku$
z-F+?%>i~T_4z-Dd2Adii$HO4?9jm;`mE3JQDVpkK&ZpBzK4_IvpqOEF$4*;hcL^Xp
zGbRx=S6z})iKtfWOBKc#17(9801XHE=jJOQbz>Gh&g#?!4^n=<P1nD8*C0AKJ0{{u
zl*;lhNHrww=6!>M_yqs2^_Xa6G9dlcs{r_FIr!fj4F2j@_|Ns|U}iF}?7^OBhM(;c
zJxn-wtVkB5kDBc=IG)<iNot84r?|M78JcQ`5igV$Cje={b;O@KTKawDS1d^$7A|fx
zO<X0~GNOd%62PT<{r%zP<F)GYWutrJ^<{m^<Ne~W^WybF|NORZ24-524+l<|U6J6o
z>0W*;;`cC(@K{huH8<qidRGl-e-s9&SSUK+8?{7qtOzl8x8Gxa(Qp)7*Kpoiwx$${
zQ-1iElQ94o|7Y$$IH{vWQdj+(Mb2<+JdfhM<moiTM{W?1*Zyt-?%8X@sd}vFI>3%b
zkaDgQ;=H<gqsHmMpFdfRg0F!Eq@as{VD*5zxHTIS#eD+#)$VlHW1!&B9_OMoGHcRm
zFcbQ=Z}Y}~qw(nv#=!Zj`lEL1W^fmjq7BDH?bKQM<kvjw^9O3(548u;LnT6$`U4Ra
zfG7k8BC<)o!_G0%X(olsL#~M0bggpUlMR;nVQg;VEKR`}={T)F$UMi_WUFL-$VT5%
z${Mn@kd}Y4$5eKDSO;YlZiYA%uZ;e{5}gra#p)2lx>zPs^{|rCao?1d@cm_b$@6)I
z?oq*{)lHYFI>CYVmMj8q5zRZ*<Z2c}prx{Tj>31d=W*P^-flwzxDz}x{8)zw7TBe1
z^%K=PY$<u%iKg&g6!f5xFKjXqQ%P4aPO%?W{w2FmKjM#OVWHr=D!!As*Uxz0=B;Bk
z93Rh-LfLwlT@FVt(~xU{E(bZJ9o|=qCN-hO^I+lCDBaGhzlFv;PjV5%_lnv#(CQcs
z!rQhg?olnv-|C(8Swq31aiDorcPnt(bxDMIrk2iWWgZ|Tf%I8qUZiT?-<(jtB&qhp
zDPF?+-3?qg3$x0c!Kr}O%k&QHI9$W99X^;Hf-j$+V*;{$4i97LcNE=-w|9NvXtB-0
z;e>qBNs(3J9X>;-iMCC#EZJv#aIHB9adP_-I!f-lrGu!)fZqy7NWQ4u;Be6!YafEW
zvlmy+E{-$Hl<o@FoSk-it|jZUr-@|n<*&iPgB+>ZrZcOS1_tF#>C8lfKWl#&XAJBu
zj%+PmB+B~JXq=cf>Gasp7p06NvlmozBD49UX)fF9E!Bn$6PmeLto>BilN_8zN8UT_
z%*Spos$(gjfF*?GI1vRX`H>=SW(V>afWQS{`PGA!2uy*aL<tG0rxW#sFjc@{)LIwR
zpaOb-$?1+4lt(TKms_lOYINncyu79<Vyzd&A8e}~AmsC_QD>ay2R-wrW)yfAepFWH
zTKb|}D5yJY<j9TdICK>8Q*gIG`dGRnfdMnBc(?z-{66(Z$dp-rPA`NXv1@VdZL`v3
z(m1`ISZLyRtG-@>G#+p#a0Q($kUNn-X2uk<ts979np>Lxk@y9^tUoHz`ls}h14<r%
zcKyKZGxa%8gQxOjCx67qAqHHB4j*3Iw9=wJJl0*pxvJS|YU7aKb)&Moiovv09$|e(
zMo~yolY`y+v+kN@;|2ZXaqtD6mU{0SYZ151OrJ6;Zj-A!n(m&%$*<PNA-{&ZDY(p`
zK=*gzp^WN{w34+vEnLNt5o=#0uKoHuC-~a_Ai;hu&Gh$9f~c~Fwo451UaHIN8+C)Q
zS=lN9i>u6PXi7U_5zzP6pInEN+Lzwpe+aO=a4kkou)U}-0M*ePrM+%OYsAroYU4Ip
z6`oFm4{Zu!(d1f{(_If&4`4ax<T|q6oQ}B%C(QZvI_62S-CXl@tDX}RRfRLFid`d)
zr<6?$Cu>&aP~Y3-5HDW(c>TMPaq5f%n;%Rd_7@L2p2=B_bYNnvALZX5hr;~xRW6sT
z6)#X=n8Z9zH5f9^t9}3;6SK;nJ)6>VWy;=4Je8HJ=h%HuFG^GhJN2KnY*J&*=3FX&
zQy;7%69z(qj#Wi(pi6joelNjJaMY!GA#`kXM#~-{&GnuUMc5>SK}8W|f;1>XjvFiU
z%*q_fva&bLYiX#W*j>ec-OUr6{t3~CMG`sW?Zu+d@=TSmZ{%TsileT6{R$c*(k1ch
znKzSVekg*6TY<>2?E&in{=D<t$Ri|3g%ZcYu{_o4hX?X+U#57-sv79ogwo?!7WMe_
zPl4345MD(nq#5rc90EanU?RY81Fumt>v3D}I$Y$JCHVJGN=pCa@6bIYK%i~lzD7<`
z5cJY{pD=#(?^BZA;P$Qs0k{>=^F}}+ss>m2ZXm|=vQu2C?XW7qk`eZ`&brC|*ZfZM
zzkYWsy^~=VibpmV)c=u&PqUKLpQ9{7lcritl+ag@E=9v3%aVpEr~@$z>p|G6W&ir$
zn8$+F-|y<kCBPZQ^V1=AmTul{Xs3G8p{_R1psM_{ckVsnaMHAb8-sxQ^Fp(s%%Lp+
zl-d|Mz{`8wwb^>LK14vY)vLm6a`jAKLX`O@5jFVlJicODTIj9rf(u<DmjQzUbI^%`
zZiIC!Mt`ambk~R`TQeNmEYThN78KSLI6bT^qY;C8H7%;7aR}xz%q-|5oK)kHLPeTV
zKfgWxBGROO|1>`UXU1>BfbQo?pA>~+TwEli74(=sYYov<Ly}_h3?}9^)8UN$4C8Rp
zvCVsM6ff>9G1j<#)AGr6C_C0f6%7;SnfTTMd$GX^pYeetmiCN;3iSXNwp3LUasX?G
zN-FnI2~9RD?JISTkEQoSMkXw0zI}{chDxx(g4PADomZ`(clmX(nGZ{zQO(+iT?eDs
zl6Bt0DgEoLkl^Q9A;MEVLPohcdA)2|ltEDj9k%9v^i4a<Xx&~$8F}H)#%m-m!KlMW
zo-$s!jfrI@gh}2)u?{>1Tu0s3xS}19?gN>O3HYK|a_2TImpwcuyOu~vTnvu%cb$Py
zhpQEjq|>T{^5y~iJ`dcCJl>`GHAbcqQ<05w%=qMH6&UHLXGp;kk0wv=GebnT;jN$t
zegA_VX)c4ML>avR`*mTLzL@06WZd?$S5k*Vx^x1#GwX(>`>fF)ww+7~r8GGeEf1ps
zo}1*MIku}2#?GphnOrBevL3f_*2#32<L*?+WtxwYl}2^U#AGWZ_uTnq<h+#+hsS+t
z?wv8cB{mXbQIbP1U>2XFHgwyW(L=74inx<ro_cO;=6MM&v)rs-nI+<#HeVRe+;aYi
ztnb#FxSZN#n3&y`7Y@3T=@N^aA>(Cm2Lq^FjqG|yT-+pc#5T9alAY%$=i_f!dvnPL
ztp|}xI3Cq=ZVpTuTd%C%Th@bVdQqObtD|gT>W{6}oy3~$KDN#sT*faCtWx2VsLPKR
zBf`+LZ9>#i2*ro=<}pi8gA<xuZPP*rIhJ>r373|*WGm*lEN>=XXSsjHB1Yq6{+(Z)
zt7LHh*Vzx{?`OaN3PWhEj1%X^s>(QVAg)?vYY#+4kP?&51X?2qbXqu<OXV(53QcE<
z`50btrg|D7f2J2br@!4a`oQjR3lw0xm5{mxbaxjS8q@#j!SeFS(o-t3au~R7Apqr&
z%@L3*l*w>Wm+9(;=S<~I!5l)!ex1n~e@scD59%&|NF+w4;9oo=H?KR*90+*BdTYHJ
zZL4fbW{ty#IjvjD<)OYgz9v9V!wZzb(4SPwG6eJdDeLo2fxUF~7We;!B4)D&txjyx
zowB(Lac*tWomVm@*9sMV(3eg>wZ;X`v2cwi-6ph!;(nAv;^{n|*i)6K>`S4uv<S7l
zHZ(-ua=*@Mz;p&KEGwFDr~-qXha7j+ju#{~R?RlNy2Ytkrj1;WAF?tCwPZBp%*@dv
zy%^WtgX}{t4n+xEqXY!FB1MNu476=(F!<y&v<c_2r5olcFIKd7$c_<bWGw3gZ>fY#
z+-(4bdS=WG1j)~671C+EU$Wt#7xdzfP!G~$tQOb%-*y<UBOD45W*3D%jb=n%7-cBu
zk?cff@k$-Y<jOZaB$FP(q8p4NEJ%a6ifLnY0U%e`rABQq*+*@RETmq<+UOhZ;O|Es
zrmLbBZyu9_SsdppPA_DdHC&RTdx^Mjc7ltXB2X2#WT{UpYMf)O8=%_Ut0g}6J~wVk
zdI5qnW`Q@Zj@EfIw*clWnjw=+Z($lX1HBx7GnoZ9;ojtQOTCNM%DQ|TCEs9*&g<rg
zk{hgH6>5)DRYua{ePGOA3fT1?;ov$CQx_5Dl<*jptS2PqP*|UjTlh#z+#okFBJ|TL
zW%U6_GP9yqb2qVFNK+qcaET#XwC0)$KarjLhG`aoDoHg#qfIVe)JawQb{^P>M)-cv
zhe{oY2PSKsw-VRx)U`i7{sdPT?>NT0H8K!`V^)_dF^;!SI5TeDsW~zSk;cIi0mG}x
zA>8HY`uy*P>*C(&w%M<EsPHR7`rqRr<p0<cHtuGYmin{~#xRr8Q&QBFG?EM7q-dxn
z$EWHQ=;xWXU><Cl=bc8RWxp;3yq6gtla`{PtyL(I4yU^LIU&OecW+xY4m)){jc_Mf
zFFrP0Z`%lN#=ywZHxH0INi>VwIZd}zH^9L}JiyVh2J9)z$L^RZBxhCU=ziD2Izd9k
z*+x3iwj3J(|7r~X*T()dPTUXtdd1kU@BcoD|J>OB|0L`k^ygFD*b`qjht`=4H@`2}
zMN$(7y$)jZ$v4%_2Lj56Edd!wLUl%>Ov6<_yBi4dQD~slgQ-#B<IvP4hmxI`1?Q2b
z_V2igC*3CRxqWz+9NsTJHy#h)JFBN&yDp~Q+jt3tU=R@(^_Odt2Y?0Ccn#;oVr$Ld
zA%J4(DJXing+SmH!9=<>eLaJp++qoB;Q$1dx7+kU5XkZCIo6L<k2g>hAH@iWyN961
zBC!+{)IcsGP~v@B+61I>c0!@zQoAMc9|8id1uQJgfmq?i&x(|>yd~}Os7Z@2`Q~8`
z!kj@065IXXKxYRwV|HY(h1z0;h~L5h;;{37*nv`1;9pe;cL;g7!-NY1kHLLB0`XYp
z5fng`KhLBvV%N{4qTq;;X+CNYOM7#}Gh2Y6Fntk2SwIM{YBF00p#&iQ_(;WOzb%n`
zq6yB@TS$qcB`zcS&+f3Bvj+t~789($jgS*c$h~Q50gr8F_!kJ2+CYnR6~7R(YDxcC
z0h1!wkq8#nW=4uwWciJa>~w9)t+DhcG;jzD>j?|llcAOXwCQ{Z{oB=TFDAVNZ!9pf
zAA=syX3Ks^JC>9c=cto~EUcw&Teei>H<u67LuDm><U~3a;~ZSFbLKRzusqv)KAr*D
zR-SYFtM=@iI}N8Z$B3HUcf>}{5_;xIUUO?>H3RA9b$Q})FN1p+ryM_y8^uBp&&hj;
zx<)ZLXGwqbn{cG;ouMd)I8ha2ylWWokCf7nhkn~m>*xKAr;uj>8)tX1Z`#}R#E_k?
z0m#tkgLBN4eG2KUx@-g+GSBL;O*U;e;mAw+9GQi>yzS+MYlR06(VpkE(7(MLTP<b2
zczMI*<{1XXe=4s1?V=B|ri#Wo?0Uxueqe(eGrR^^g=or-cz0h(>sb9HV9J*sncIF7
zc1|Cdd3|vCZr>n~+Wr>39ziKD)oJXNNo&nf+$7Pshjht)S0v>kaG1aS=K&V;9krtE
z@VfF<u*cv)=Cl*`4U;jCDuC?Ri8ntC;T1f@C!BVS;Akd-x`R%h0zt)OK4f(*RB&C0
z!EEx$oecXBm6&IaB1ht!`V4OeDxy8u8k6zB1F=xUX@GCFhCH}#SX%RBrJlG1Z$E60
zg^miYENz&t(q5!h+sdL&yvAzb!=BuDvmtUtI=TQbmX6Ra8%Ur<#?)}dk0#r`NAaQ}
zLM!v*=x&+LTOwfwVOpTpAjKTF7^RPj=|u}0NQjiuDeCU6w(DntZ-=owFEmvCc2s>(
zFEFpK3?0O=NNym|nzH(LphYAoc4>ON#Et26C<ZxUe$x=3o+&!0kbp95wgse{T+5Eg
zv#QO+#R2C`&DM_nM%wmgFOrXM=-f^Ev4XC?){#O0xUk3pj93W(bDSlVAO>}BAU_G>
z@ZeyuFrr~a$UuPF_do_h!zh_ZFRyQ2*JOhbU{IG9p`>{d!CQRNN1GqmS5ehZZL^%!
zY`GdqNW(C8zp^g}v072i8?NqVo1<lAJts^gnVj(0uWi|iiHr59Sc1{EIGkuNNmw(6
zwj$*qw5#)ITh{8=)=J^K)T_spDXTnvZmPE5*o`r6Rzn0`EwwS&i@D@-4puu}EuTv)
z!79k?2^V0uX(I(X-vJ}8t;?c^15x3?U4xXxwDafp7|~lVEIc^hk!I^jay<t(EZPiR
zEV@5saJ}f;=CKwzW0G6+Z_oxp6m1PtRw4(w?BV4a+M@so+(nbD@Lw0FC59PXUP_gB
z&T2G1+!o2|m&UXohIGvN>Y+bZ8w<^dv|HpYHJaG>Rc@$ZoZ@km5b|*#aoXI`*BVgX
z!x2$OT+Ozf9{4$Io0O1=96cErU$khIGE)9gna@rp&Et4gsi*g<WIUHy5V4R?potAR
zR}LztWKBQpU=rcUg&whlouJ(Y_k{LbM<9EU{*)<3IkrD0;jmKr=0LA$1t!S%u;#Tw
z)lTW3eg{h|`-JzKm?JYoYyEn9wCY%Aaa$M317XgFB5su!>jvYzRLWB;B;~h$kQr|{
z<5^a7h*c4`&x(~5C6bBfp;hw_3#3;|vdcw4&h3Q+c3h7MWzM9fD(u=ed;8hl@Y_7-
zP%3qNXNyNRm(f&UdU}i;G4&AYg0~y^QCY&T5pWejhYhiET@F4>^|eJXMldG<h|gr3
zP(Pa;<QFb&gHPG*JQymUfCx*9B*{6_9Vej==F^>kQtV;h>0BgJun%wCWMsA{`47n6
zOCQkDz8zw43Cu#{0cuytAI-;o+l8f2_3o8Ny$2-%f{0zS+kd(|@_M~wQ6PQl)eXDC
z8=RzLF*T4&E?TP0&32xTU-lP0jPAAipWm_Y_0#P_0?RBA_Q?<`)^27CaxS>P-&kb2
zwe_|7vy?`lzZF9V_fBlHg^CiZcv2NI7C(qib#X5Z7#bmrL)hAgb>%wG?=oZ2!hU0e
za=yiQcZm*>uU}j(ZzL&yjW!_-Gr5xlQ<`1>u|ccj0kF2-+GodZADvvLQe+aRgh%Xb
zH18(4n>5OR@F5<oeqiNJGVx&&?lDcs?(40$Uu_<BFbLN4trcC=bKG{$?9{%d!g@Pv
zC@=4}25vb~uhLVBTse`~!+$y(!Mv2iVfaoQpkCM5r7Ua}KWZz(ZRdC`bxz}-Zs6~C
zsCU6aGk{t*FSEOxzQ<r4-TOZA?L7QV!(m#J*|wJB-f5QU+`L4;e|qj#s<uA~?dL^V
zt?R@Mt=;`0d!=B=&`1RIt;Cyg%#E607O1z*jZN0v>X<^AYNd~;h*=-jttJZ}v^qRk
z7jgsda)<MyZ9kpU&5~pn$=Z=|kw*awGxOA%B&TEB$Hj-R6ORhFVtwoO%x~hX<l6D!
zrRML;&i%Av@Ab?E4!|Lu{_bO?Z75wp8Hy)Xt1mj&Tfl7OyCqJN%9jJ9g`Gd~8<Ful
zJv!g9<uLdehk;Ua|3JVMAiWXb04;vPVDJMazT?tkzf?yqV~`m^2U73kKnrz0M+w|{
z#(J~p9PpZ~1gJ1dhs{&cwdPgXC$!w^B2>*B2Ni$jgk%E)<^J-mK^TMAt5gGq3QVpT
zw8Nt5SJM6Lj>+als+NWOHVaD#834(;Q%Ydj%d=D=Kq4d(BVIT?jFNsac(r4;{cErL
zN-pWw8z1%uaO#j&w$8NfpYdL$HMg!7r+e@Trvj6+hlF&MdSvaYvmPF_pUWl{${U?3
zpQXJv$Ylr?yA<t(u=%W`9vWrZQp>mH(uZsOCok?7rl7Z|$dqdGiDq|Ya&5!!_Ay=0
zy@>^T)$F|iu#B09tTMa!jwG7XNe)B^b*F?~{M*z{1I!@hzLU)>>41gf=0c*<L2MW3
zwSz^M%ZNpqYiP*stl5Hfs&NV$hHv)^)>7>k3HW3`|1h>B#E}I8U;J31uoLSqq$#jF
z=T#wDF+IOBcy`Se$$Fwg*UqJibDopV!EnjR92wZ0RlrlC-EHI0HfDG(_UEp@cVWG^
zhI!P#7_&WVZ-rg(8Wn_#JP!i(cj5u15_=E?<}#ryVq$lUaJX0*(<ZGVn!-oOjfuQz
zFy+heV&);6ktsH@eYMEG;?i6U13V^a`CK*DNQ!LazSRpCqSR@wMw|iaTPsd~jd1OG
zBt>e2HX6Aji8+8Mp)pIl`y79=@J{j!y83k7gr<_`)M@DnY$&5Xb#U)^WuR#b2WBwf
z)Z)OdYHZgoMVmCA5(OhA&0`n6Ki%pnsR0>O55Cesyg^Qt*|0**Y!>A!eMkQiA{`Fr
zJ@p`T3=g|Ldd@4Q{c8G)brY<8Y%u=(b39aqW(5`q=+z1^TuxbxF9pI$%%=CuDVcSm
zWWc0n1CR^Cu|oiQzUc!2&HngsxVr6oc^c|Uy96Kg;R6rx*5VT=yhQaDzp?SaF8SyT
z_XQv^#)0STt#Pm4`u`k8+*Lt8ByEM5<*TR%;`0aIojcPz)@pN+=hCN*P3}62JC@JH
zB+F-L`@Y#+iHJE4AD0<7p*dlGe|G1$&wj~$g;ZVY1($U36rIp9t8!P^{NO6Cr77df
zaa?Gf<s1^vHVCKD<#V|^uf6%+CN_36ubG)6^N3#^%HE5IOTB;KSgz+lYo6j+nT>bv
z#y7{c=^dbaviY06=ki|OIzp-@<xSdF+2%=Z_J)Ku@J3<i-hF%istKJq70m8_I7p-;
zV2){4CzfE9w(Srr-Iln{ypzFj=<F3$#sxgh*kvBrsy&Y4&-~IX(JHz0E=1Td5d(ga
zU||TDY_*O6%l_zag$J2(Mcnt9V7ufap5V6ZGCUFG&R2i1ROBxIH7?`p`i#qh;p{+*
z?i6?XPcwIq;d*DX3c|jtpoNJPbXEKZSd$C)0h8`=E{mzc$aIZ+YIU%~)_Ii_^x1pP
z9n>9#hy~O;o<0do0q(gU!x~{GIkBL>HVl9K`MoN#k(@`)GAnUZQx3Bh4wAuN=*H<&
z)<4>pw2j`OU-xXc^Su3=RXW%ee^pp|(bpxzN}11Yr!P>$%u+{7xBi+Y>zB99)@??x
zIrDe6<y@vRLY+|#L_~5#=9+rHh3|rbj-gl_dD%MWTS1+)Ycuf<4H&!*o=UM!p$__t
zpFhIJ9du5jYHBu?5?Eu}WN6pB(P(p7?G2uveg3;pck*;E8viBo2L4rxlam4lK>_-=
z7MRW8(24*H5Ks*fFwkE*aQ|rr`i2%J_BKw|fG=IRe?qsofzk}rfPkKGL4f|M^8MR9
zza0Jt^s5GK`%gHGhbCPdArR13`M)&E{td^C1_JsLAagXb{!5PTpSZtk+QI)D^!0R5
z{de5|H0IwW*8X$0t=s?5!29R0f0tAH&)FL9{tt?5|Aha&c>kB?+P|&w3;usAu>I55
z-wUsQmHYo~!AQXWD7OAr*6p7@{+_`5&*`9{{L{x*!S<i<zvnvsN(TJfzT^E3{$Hbi
z<^2BX;qQrtzj7k~HZsD$d-(4R$v++ZeO3SGE1dpM4!*Jza#G-b$<+bDeSO}(5;fg)
JU)&0y{|5&_dyD`8

literal 0
HcmV?d00001

diff --git a/example/src/main/resources/static/files/firefox/web-eid-webextension-latest.xpi b/example/src/main/resources/static/files/firefox/web-eid-webextension-latest.xpi
new file mode 100644
index 0000000000000000000000000000000000000000..c52b40fd5fe649f036b7a704f8a5edd8c82c1285
GIT binary patch
literal 78545
zcmZ@<Q*b40u#9b=7#k-iwr$(k*tU6M+s<xm+Z$|bdt)2-zpuCI&b-abH&rwBRo8U4
zvK%B778u-r`F{iXzk;dBPg_eDM|TG^ppEN=zr7X#Px{UC2SQ7M;1<<S`Q){%JhI6t
z-eDOwg`ko0rY0Sfag9a;1)V!-y8gVIor02;dA+q!;R?%{<wz(k8Lj`~S)#MkCV@Wp
zHpF;#8={~9{KkI-%{Uha@cs4JWC_MiNks`5XoMVPJ_rM<LxV-LSly2hCb5jqwfDna
zTwVsJ|5}0A@vjha+hgEr2?|(o*eXQtJc4Tq*}deU#XTry&?CC}#X;e%QM~NEb!e;e
zj8d3P)@I_yN1e)c6KB;ih~T#Un_vNK9ibF;EVUy7Yf2jB>4Lx*>^kJH=iAoSIo@Hq
zcZKvKk&4R@8niEjq1Mo>y&&YS!{lzwAJhtoFy5D{cW2yF1f;YBag|pe+)XTQYAzz>
zgsdy3mk$O)`k0?!7n8V7{BHpBZa$HZFbqZU@B?Q(t<~h|b8^@Fo^m%y<^$vJ$b|#c
z&lr*K)60>_FXLI?oxas;BI4eEm)~B_Zhp?|B)Nnn$Zy9KtB^H&Sit~OBt<kdEJz(0
zygvhQaqtpg5Yel-#u5F<W<kYB*ef*Gt%kmglT?f^ZJ#L%UjdF@PJV8;4W2%3P7j9c
z?$KTn&cW1RA(*lj;l|W3FId4m5<kUh{|q4OgDHZEac9K+orK0yV}(S63=yJ{_q;Ir
z)QhKyprk<@MVD-bEQFvX&DGtEX@sJHqRCFOO{E7lE)tp}HN(OM)1J7tb~UAx*s3S<
z6mJ1u%V^|QDcu@VQerRtl$ktyyn7XxH(o)K{%kR;ir0t6k(!yfY_J10%eM7Rkb<h*
z1u?ZTl2RJp(BpVc1LhWY!4QyeaFQDk{jF&5=_Lp-q?y>6$_kHpM8e12nb>{8I>z!e
zURuiRRBZ;#G)@uy#)gNW8Mt0i#6-+tFe<{>sz&`Fo>C-ubsHzZ0HMhYlwrMtj$1{l
zbOPcZZnXB`kifsfFq0TZL}1P+nRX4k$uk`Cv9;*X%m>(5HKt)MEUgq~^l}LOjX$`u
zQIS~G8z3yr(@MHwbc`32g3wDtc;KLaMk_yOjU{nm&G=HoB3*#fpDteaaVJ|?!V(gp
zzITDm#GrzP2wiA?P2)`<jAIW%uqlvm*h#1E<o`q1D#*eMDHaFnj}KJR{n1adYfkJ&
zVjF_|N$$fK(Bj6Vw_CouApR4$*oPdSV5Vm9uKBof8ALA!ZZ&{053s%TaRj$Arwn2D
zK^C^v+$GKf;WP2had}ns^*jh}xnuPEns@Mg;L7bOq3sYpxGYkGgsApsnCi-wL5Wp>
zQmtP_MQ|?7gy9*e|8_A$whM5~7109*sT5TrZq%Mkl;a|>1dhO}VFFQc5c?5{+6bSj
zDC><F!)w@2)zBqHj1+RF^^D=>?cUU9tGs(%wzor{X6l69XqxIPVn3z*4xvL!?!Z5=
z)r^rQU7(t($au)#->#Q|yUn6<v>`W+&?)fyj>du_j>aAwMWutUg0vF|(Cs|*na2^Q
zPqdUv@L5{-)L}vlFTeLT2nDk!x+P&bGr}(B#y;j&lLSx#`Kbh9bwo3(6aLWM*v3B8
zEiXkjJ|4Go_hGR1^ry5X4r!Oxm3Uqk>G0B?zBA_thS8j}i;QaouP$)jrEl&g_kTp?
zcuSo!@MtHj|3QWR?}y26O%h8UaOsB+PocI5!W>^kE>aTUq&DZEy-|xt5zEE(YAhys
zRyLSnGGaC};|%2%X)u~rOFKtz`+ywOfQWGyUpRKtoF!?>5rOPWpU&q1^-_C`X{lZn
z&8A7?4*pEj-|>shPaj#OKoLH;IXTV7RHYj2>$i(%jlWB9p(YDQ=#2QKq90%Sw=Ak|
zaGfTpLDR==ejWO!HY*lZkDhD~&oIqgjd_(e@phk4wC9;E!u9xU^sEDMmZWP@nn-RD
zb&gQ^UPVX(jhPasH5I6jUiN{xz@$TiZgXhbM5tdffxFv>m)AzG(JPU!u^3u&Iv?q6
z0a)2!txH-9@9T==6!1Dfctu4C#dDrU*&)(_H!Z>`!L~TbI-ERs%d%K(e*<P|7J{fq
z+|eURCr{9wj5Br5_U49xnFbOnW2waF4uARgLAo@IiD4b`q6AI<g21`j9W0f97bmaT
z{h?;#OyHb)D+Z!o!t|*cY@KFhZ$th>NclaEehjTN^&3NzJ10QA#BikI`VZ{Ha7&Vm
zRq3)2oj5LJ@4Sf*5|Rbl5PWu-$6IgfU$=z0_##wgo&dTVq}$$2XB`vu?V%!M-Abom
zK&1I=y+idRROXGTz8UKjWq!!{FtgnZJnB}sk>WV@NfV~HB{XLFAF@uvqY=C9`MQ<>
z)=137=DpXyz37~bcai<^y*2j7qx%OYC|h(xdjmrcnFju+iGswyJ{~4Z2XiUeQ;aE-
zq?bm)KXMbd&B?dcD;TtIQsJuy0O~l3QVNBX#`^6mK^<#yM@4BeH@We#uo;w_OnwbE
zv-q1^{j=|ii#XzTwqMgv71A@A)YegCx#y?5(`$#%^f}xi-R+XL9B!zOgmQCiKhg5@
zh#j^I+}HApsD81Fd@yzb8za4J=#P@4`5AEES!KU|;TMCPMM?V4Y}J}fCfhWU89EMT
zt(=&o>?bZjK0BvdTP0B$=j^u@1L%DHmJ=;oQufs<M+^nT&vukOagT{q>8!t8{-(I@
z7WjRnd*m=WJq2POB;miWWa9m|=G`vbvNXSuX1pcl{u`$xCH~;tu}eUQOTg*d$Zz+H
z#}$+7qN+hngmjTNvuw_~WAh{dvb0&oKXmah0LEj~8w5=tr9FyI*>sbUO6Ohs$no(F
z)a^H!Su4*=8WGwqEGo*1Zc7MTR{Dt9n;E2vaRki{2@<EHF%M?VQ#6++=3(o=F{rLF
zT?<yl4k%vW(;+N5BDhsqduazG*wmOg#>adi6KEfU+V0MBPj9#e-+IMfg)$SQd69Gu
zdQNPJo8Bp$L+=Js)jN~*Xr*7%<kq;9aGkuu?>7cZh4xi9RUn@`*U%1oN1YO|hp#{v
zy{mx;y0fH+!2pLDcwg?-Ez^$+vd5jUj$?%+&H7y!x3C1H^m^Q3v3(RekEOP}O24F*
zlMJ7gcmApd?(_s$d;>=dYZg@Wi=b`!#{RZ-QVwDYrpW*e?Y!}BX(_qDN(g2vQfEEr
z1*L?->C^_`$m}q|f*^7>0q(6BIbg#QE+?<|ojoUou!7`XkKi-lRgyaJ07$L{@*D_`
zjZ9f1(w`aNP%HJ-iBmLSw-EY8;lNzXVf{)7AvZl{6o+y+NSe@E<!$g1SyI996%e=^
zBAX!)%#76&dKwYw-{9^+2!&ttslq_6*k}LwNZ<@vINQxysd@XtDTx!i>*T)*trJJ(
zmz)P&y2}t!sv@4^AWURw3!)pJ0<iOi5-L&Z8B{V?8mr%K1G5t*%Arl%XQkxw<ySP^
zkWh$?b21!a+G4o&3Ch9L_<Ng_OEXQ`EK7KO5<j)mHe-8Y*Cw-$pff1V-=K8Ob7wsi
zmQZN8vsvn4?b6e0j2#+m;;r;>T)EMuflS(M5ztS$dp?&6j3;AIw@=u*VKtzrr#L9?
zaCsa!xznf2-#hSnTJDCh_Z#mr=B7AHMYRJZ;B%u{<&9m;9TPP5I3=94wdgS7f8ZxD
zo+9Pl!3QV{$o=3gKuS?Fl*u9&A=qkSWyJt8FhG?BRTL=G+{Go!jJ3+*?>*o2zS!hN
zE?7L?wa>_}tBDhIGRlw_6r?=CU(s}qak0(ThvHcoCB|X~C>Q@a4Ph|k{2wp7uI1;+
z3_KiBo3W;K_r_}bNypz0LBlHw6fM^v!38ZmP;7j%9hFiH7AY2ssv(6iO`)_gR%{CK
zRfpmwTL{vTu(X>?i9`rQ+Xl1Z#;!48vu~CHZB|k3_QgedqVq2vVDMTP44QFBo3loG
zb_Z{7y~=C2T_;&M?;nL$>~RhbG4)h+SJfM<f3)X-Jw;}O9~xV!2@&P_iZlzeXAN^u
zWDIq@!(gfixDha{Wyz<#1wctoTizRiCa*>fOo^o18TM<)RHeU)X0Xt~4dPA7SZWuP
z2op#W_^4^dG~h18O8a5kY-Q{`7)}u!TfLS*L74G%MytgYD~b!VMtCuepI1M2*O3IB
z#OZ+WK4N=*@h*(yEnnE2$;+X1Mv3va(ye;N@l>E?WKYYRC-tTj=5Ksn?$EZ8>TGcR
zX-Uu@6E>vMxlECw)B!>Sjyg<A${@f6!=IAy6^?NnZn=3NWBR2w2dSV4p2}LHJr6X0
z`VyO$xe|7;!0fWvW<%<RP2$$2LtD<$SdzB7;y-65bPa|D(~+zD{XcKP$#s}dYe@-;
zior}qK`|W-Ti-uXyRqIZWTqXTo))be%)R7*wq1;VKF;})4}!wvzN4=jYQY0=e<z~{
z8(*Lw8R)O!VQ`s8GS`G8p1%=vBM$V8+r9>Lt2C-C9CYc?thF|*?O6S3)1vl}WW22>
zdPGIp6cPD5Qm_dug2R3_rFjpQ7_TQU-(RDLr#V=1yoAZCI@qKz(B07KsI&COGdCs+
zTX|`fB+SL#fXdOTs@<Z>d6Ai?wdv{M5#o?pgxdhwTsEPl>R%kC&J^GlgX3SFpWj-u
zviA02Ar5Wte)L5pe%RQ5qK@!oEjX}1J#41tsLdntMl~hXq#+KU3BO-CBi%x<=9TH{
zwS7gj1jI49j?&(21u{PM+@}D-D6&uh*qs2Bfz4n?p)t`;q81P8qknA$5<A!HdPK}*
z5V@fTTSqPxTo?03#aUi|fz#5n6wv1832r}8uak(ag7cq18}>E)eCyH*cvSsuXsSg+
zEM#Ut*{mOJo-W42z0I;qs`edVnTu+%#`R1@JT0P{PNDS8K$M0kfgugqGzH9)pkMO2
zoKlroT)BVz8j5Mtg4Ap27bA>B09uHMyaKe$0`eR~QTodmjYD4SIH^zHOS~C&jz}@{
z?&S{@%F*yJLD@eGhQSKj9>veSBrW+graR+VOctefu-pFTQD8!hCKZUlcymHu+ASLU
zLoj+sM|E-~?mv|sD|*hlhTwhWLq^QXQ(e^@v&Pj+@zUO-OEp6R2d>rqIt%MQ@M81p
zDbK(+p=(f>@kaBcG2P|LH#L&FG0<U+#FFDpsVkXBPSYn<iw(+O#F<0(YsH)R_zG2N
z-9*CO3k)J5_rqr^wk)GM<xcQtCEb75wUT?pxav~M5p?lzJPqWeRt04!ezUKYn8tCl
zuYM3HB~z-EnuIXq5sL(6^x<{R;OER%$?J$fAB3!Md|SupyDu<k>lmtEj74Q4CHh#z
zFlScQSK6pa@Sr9^lQG7Qf7e%C0F`@oYt6Fz;w7wDXqg!X$_5|j$*WXx>Dkey%7bDJ
zGFb&0TPFC~s$qUtHvE}pF$4|vGZqyTAug0y3$%q|r=rur=fjcLX~U@=5#THM@XAu)
z$b%v_56QT+e>n>k9dfp`nWm4#MOtWig2Jx6wCL-X54M9mhOym4J#4KE2a$fU?|O?I
z{SoM;I)k!6xOWcuQ#EZa1Nvt6`k-t{Ur<|QZAL#<nSQjG6!ru&N}(U#*GU4aimdHV
zel&N~BG@8PFB33kG>-|gshqf2US7Q{wx@g9N1Qo15{3LMl!N;|_j+)JEtPjh)Zt>l
z&0lYowHjw?z%yt#2BxKg5cRHJU<#C3rBa#tiJ4JC?P~exoVHQwC{EwfS~U@+n%KgY
zsAet)Q7Y2iZBq6n)BmC!)iYCEzeajg6%l{SDG+<mis<9(I1aC_$Lz|PE0MY^ni=5U
zQHPSRLKa-lsIm1YgVe${Tb`WA*?0t23C*DyL|_1>2D5Sw2kRX|6(BN(2_}JnwqMQS
z(!TSLVHk&&P7%Vtj>5eGr)X;ti)s^F&<i{Q^P-q%0AQI-ytZUa(%|KNAZu7Itxp^0
zqorc!hp+06W=*q0C^j|Qc#OQEn{oF$l>B9;J$<}FLb2O_K*Ct{mx!B3kt#-eRR4?x
zI254hj4EOCJcuqItkaGCe8MbK!oa~eJ=qvRAwhCunw~VzDHgN-OyyZq>?(UyP?_)d
zO8)$sjEq0!p8l_Eg|+pNR3Qp%QYdSfCR&K6E1a^GjdnUYC3gBOdWv~%r$9(Fiq(9?
z;Yj=#9?E;k9#X+SNve(iCUM^-_c3U~;;)P3(Gqgb@D5n^ejpSKgcjW4uv^@{Q>(o3
zbGBnT^;y6B%Y+GPuX4)&q%;$;>FIFjMvha32=`*!c4%SJ!&bp<wTdCJ<zkU))(5Rs
ztkxkO(yGl(Avb1}95%GkW(eU#KO*o);Sv&xBM1Hl)&w^|eWQb8E10m4x6YD2PNk-6
z4VWIx2u2jPkhZFgmN`=kGj{+@{8e`HtyXHg4!=jYSJ7u}^DIb9rJPE-Y%H%bXKT0H
zoS(}Kf{q)>Gl-#;l0<IOX<Kk7D_XM^$}c7HHw*Ho!}KLe6M1<Cc3hppCy+_8%tW96
zAm`Wq2j%0yaLsl%-TOi6tDONX-%S5nqvH}a%k$r!b%(X_MN75=n%ZE^rp7&YBw{VR
z7U9;JjQSBY^(hhSPttrAh?rT$JY4jcs2AEQOZ$_ZryGJaO6(5=d_Hs>SqD4%lW~ee
z!g3(8SA7-}CSzpdT8^rmSnJF#+{-=Ay{n?K2kjG`fvy@g!t$pPCoWYf)BZw=LIk_p
zKHE0p0&y8x>@$U(5MAj7__q=+Q90;0t|O%dzL3^H-`}P**DT@9Sw(I|ly&Oek{MhK
z_wg|@5_^^6bV|}Tl*oHF5#6j&qJtsQF&0%-{xt-+h;bN?%%x+s@STXu<B30B@ZJnu
zE*s+~^{myo%N5iXrf&wn8k^C}0nfp$tN59<y1531JU`+94^~;c7asl1@Ca~qg>zQ|
z5(h5W*K%N0^)%>4AtU&gzF@ge8NktTff!8jvH}^CV<tez_C&C5MjACwkocq*65UI1
z`C?O5dK$w6ZsAdRI=m#-Z#pR*c-lYU63jcANvqt?WTqi)22pd+*Rf$GaIAZSTcnse
z#KRwwr)x(P15cv!I$Ev$u@p2JQ}i7~mVK4(6E1U)B5S8IYy88R+yrqtBivaXF;REC
z!gIbP(e+;Q>LA{2@ajM1gGL;|zo{ml%M!A8LQqJmVU>aUGkA1$N!xy=`X9EfnZ+$$
zB>7@A|ML0xeg9p%u3=;6cIhr|*r1`g{$M&3*KU7UfqrOEmS%QzmDBE3>`EHTVLm9v
zR&}fe%-hv8ZK;kKu(T|1*EfcMcc$ag%Wm>|gp0Eu)zIi}DU3eZsK91Y(U?5lskg|M
zdGKYY7y1ZG%;{X@h6e=aZ^}pMo-bOeA4X^3#&Cq*1M$=;BED3j;@6N%<uXqq@fXcu
z^%con127PPkJBW_Wr%6yiimDR%mt&J$24F(QcXM=$aGGE9<I@~h^h@P4aoO|NA4#M
za6K6JF#o`!HL5(mg5$p{t<|nc@jgO^INtt+TZ(oQ;qsj1mN3_j_${=j6pFqr`na;&
z(Iw^?W96mKIX@>4!dG6E7gYlHu=GQ8dg_WZxbhPIA;<OR!uq1j^=}&mwY8l&CAtfq
z+j<a?hpP|N>a{tD5(8OCTjz7IdIddJIS0w?)|-G`4%1Xf>FgJO<J0WVB|~-3Th0k<
zRgw^e$k|~BVd_Pwd9u|?aZMZxJH@>bvUq=JB~J{;{U+D;68#E@r(<)v5)aS|{ir09
zEP{<TxG)$cIUi9XYyN~c_r<LZ;YI0SyqlhPrxi#nZ&s>)b5w%mewTd`Joi$>pU`ju
zP|-MMapLN;b;TWuF>>GA{dY4~#>1!6R5iSqyzE&<GBGqZi)C~#l!5LNCaI2F<C0P^
zwL2f;p{Byft75}B)3kjCMS;<Jx|X)@&g`M9OWV1JK~*JOzZA)VGv<k@W#@i*ezvbf
zP9D2kh49bAL3y{RBrA}OR$i3rvE;Ct3hS$!H$UJwYo|^{acYL2<5@;Yh(U7l-oGyA
zd2)C)))*3vV-`fP>Jfs?s|?VVUg=1HXH%N+TC{E^vXtPF6XprZEo|{5m6yhr=wri?
zVc3j1Kj_1IL&o7k)4Aeu-6+C^9fB_jHw`<NYuYtG&bmE-+`GZysQVH%y_2pdkrrmK
zuO`|neR`Hs?48NlB${%&PQqog7wn_JCd3gTh!*BJ?N1Sy-|^0+cR2R1HMbjgoK4l*
zI%9_}=sG&PQ3T_X%%hG{9=yt`auS*4nytXeZj#&f=So2ul&G9`swNq~NmrX(DUL^m
zcO_5M+)95GM@isr49hraM@quF`1wu0&Z@!p^HBaKLm;9>T?ly2bB%7U>7^4RTO{;O
zI=J>0_%?U9F4g5BU3mz{yLVb!lVR;>LN@^Nu2<nK)55~dH{OhZf>=cXi-z<PPn$ec
zE%V8`rt%Z=jCgpPUCwSEAt*cIhZszl7c1?uDQM)L5Vyp}Y})C@(SJI40Zeg_QcZZy
zwhzBmD#_r(W^mOpnwV=Tu$ipH=v(rj1O`hHi=4?BM5bg9vbF7)sb$rxT#Gmpv;VXS
z$+gjil_T1_7nFIa6cz(0g*fc&cc~7Gd5T6V;My$hlIcp)Tg6l(ER7xyWUaxO(~*f3
zR?5?%P{H87IJpHOu>Qf}nseFm4G`e^;%SqoLR5M<nnmbUhZz3=<4GzlDiO=%7CUMe
zQTZb^&bakyRiQ(InwshVocB7(E;}k)8p>oe_3EfoXj@6^*}j-m|8NXnAGUK}MOEs1
zUu%L~vNTjUIO@6bgE9;0>#v^eFC@oGwHgEcsc|Nfxk^VAf&A0<Z#5nZT-@n*Ecj3j
z!CSiTElsUI9wN7r`MgEY$B(JY@2|RSF-cXaG%n_n^PMRPbEndj!rrhks+af^oy%6g
zbyAAGJFH|zm3B!$jitKMYoWk$*`UQ%YZ{JJ(yPTyWC!B`$N|l4FO9JuMC^F$5S1<U
zN9#$AJ%^&Ws+JrO6g--!MRXv5P`ah2FAM_d#C_BmJR56BOA{mt`U<S!qGYE*V2fC>
zSUC=B{?N7FP(T!cM=v&!ojY7DU|eAQ;z|BiW6bxUpseqlX0zC<9C?QM`T}lDfw7qk
ziFv>Sc5qfyrMNO{YzcH{2GV6lMES6NJiQ^McE?JLwQG}#?lfru7d8I#ntOS5A&($f
zBe@kj<zaD{QOvM6gN(lxu<j?u2mKS<l#eO!n|yx+TmAOO;}>eh7|9#%eCGEo36jtC
zJMMeW&=6P8Cka!0ye*_rpnP`jFEwmryY98UTT66(^W^EtaAlRdgezG<o^hmqNFDmo
z+r?k3nxZOaCnza=9bIaC$~ENU#0%F;WLm#RW~g&V+Qucr=uEhO*p)9{-u#FM_gO?>
zCnHHw+KDV19<&@RJ6E1(cWv&+^J?$ULXNLFy!PH1+Gp)2GI9x0Pf{MY0+cNp7nrqw
zSW#B3xX)9$Pq4CK8-4Gi6*h2U>cjr#7)aqzCwOz@k<FrnXU=3b*<H|*Q-%ztx-Ubl
z*F4j%&tW`hQX9xflSi9)7yMBq@x&C{M+whR<RAtJs9{8Xu<uCxQg74O?M&k)Y)E8R
z3bIPYbYc|WBI63g$5pkk{@fjw;KMeL|ESke5O2!twkw{4x*dZYB}QP7z@la}^;C?p
z&18f~HXe3_>xpg*7IeIf7`7YD{bQ>{3~>Mxr#*0uO0i^p;+Krlac`HPNQ%P?OsnSp
z6&}?TSQ^66&!s4QlEJh~@Y(sbkjWLLwKXVrh)Y?TN|qyUVGC;~`<qqkADk3iD%6>J
z>g<mas8-7@UZSJCs9QV@30hnWGc=MZ*S+~%e=pnTZ!!(^#^Pybm38wsz+&VY`*0qS
z6VLy$h;mNI)?`}>UdS=3l!a`is^*=i9*ULn_7wOS?2h#0R#=cR)W6I4DiDR5P{ue)
zg}3^t1zXOcogN#@tKL3;ao{~gScWe1tfq8$wW%asM-SAUVetmc#cY2i{Mz4O?y~vK
z%Du63jhb9z*Ce|YxvBhUaJ_qT(Ogi?8zG^if~9epha7lHf{gm)J5)$s{eopuTZ^f!
z$#_+!$FZhW=hHYw3@Q)sHBRn%?q{DfcDnhZA=PCWm@th(XQbj5$S?NtVV6i7ZNOTZ
zr=b1a;orV7Urh%U`l?2}mBdzZeC=oyA~1ROCZ`iiQySwB_|_QXilY_nTa?oldQ^gi
z9h2%Rd@O!Hxr#|gZ~Xiweo7e5h#~Qja)cFn2)HmpLKS>S_#4r+dlZAq*>I!c=yjv^
zUF_+SO!o?Vvq}Hi`d#bk!QIVG@Swzm5+Cuou-&_f-pFAXe6pLsg#R1)t>V8|m=xc?
z-Iqy_@?;&LEuZAbI+R?n;K1H{)4@eyaM;A@YB#x?8tr2OY#x=Am;|489#FRpU$m=C
z?7lvHXc=T;sHC^Yj-1$?vq_-~j8;Cszz33*R{pgfr^leehNAZDeW9vQs01I;<m|&r
z2|c2qZgYmP?PQ2mc|ToLKC4~t);}NDlMKjb=%VPby|UIvk<&+fo{p6qBuL?YE-V}@
zcy0F7%@`vqYtDr*Edy#l4@ykF`yz2+r9!`YvAHG@7^GegAH2M}1N~N!n1Kz1`!`Oc
ziQH#Z@b||LFJoUSP#gwlhKU3$4s@POrzGz^Bw8Zr=ILTv*9HIeLTlglEp~nCFO-k*
zi*>SyxPZ7@NSoDi=o+O7xdM86fN=itWjgw#@9{Yjesk#Bc6{V>doJMnh8djUrF$7F
zV1?ibC8xah?eyV`u~U*ViMk7MG(4^=UXlABNsj=x&rT`k)XC9H05={IO8mA_?t`K)
z$=gr>1L;1-x@kRF*_`tC-6hPsVKz#9zMq9la)I)ojN~84sjzVoo6q@DDy_cQJGYc%
zz6}Q<q)2K=;W?q-A;tWl9JSZ+X^a!wlb9(u;JwJzzl&WCuUA33++QfXd1pXO+49~8
z>@(s57V#G3dJ#+dJ)^kGr%b^fpb{i5+rtv?H9i{hCo!qdXJS5^&NtVp=gy(^>1RVM
z?zeJ1;Bd_?^r|3__{_;4lZnX;W|1r@`FTk&Y08OC@7)Fq-pn6T<_Z01MEgzsEk6r+
zytsqB%4DMO5Bz`J_$@&gmOI+PMO6|-k^Il(@o-T}?$`nLc5ZGTPd{f59~vJUk7Jh-
zrcR%qwQ{FsuzQzH1B!~Qt@r409<iV0U&6TWP_AxODGxSxRa&TM-3YDx+2IZyY5hd~
zXb_AyU87fiEx~X|b1<XL1fG_wKx%v8{Di?hK`*_!h+xq?uX^D=d?~7)6c`(t$Zx0#
zLRx}E5riL=`le)kNIJzMq5utbRj7OD%&OyF{9r$}-@&YBz+2D6As5I_V;#NnPPzv&
znE2D`{@LvzumNo_Ey-K0l5pF0VA=42d<K+30NXv4M_&d$Uj?tOHKdJIkHtZrx^i-7
z%cbq3pi_1FYTG-SWhDdGS;rM+doYq2OgxVW+0;(ma^MbbY^Njc*NdHDtHvSOIbO@S
z`tcIJXAha%FSbVf%YPH&jzaG(*FYm7HAXt!@36|mT!QR0BBz=&rU8shD}S+FV|w{O
z1I;b|0lbwF4G$C9+8BOx8h{16^Pq!1>6UK7xHRE)PBLwe_kJ$#4Kt<~EU@o$^LNn%
z#f&CZ%OYC)-yZaCAq-Tj$1ek;t|m_-bDW5nK9$Fyjwc8UFCwSbEJzmrRE4j#3uiYQ
zwK7NsodKfNrhA&w^ljweSZqv&1r-m?AvqXLXi*RCM*on8PLmU4N-ek@*Si>NZhk_L
z5`JuII|clCRn+PszFlbXt<?<}7nMl3sMveWtV#ILzREsDh*pAFH~~~$06o^r>h<U9
ztnX2wU2na5jL&^Cy|z)!_1CDOSX;}LQ2$Cj11C!}g2n<IlktqKUzs9omy^OWW$)mj
z1*QosOQrhJjn(MNSwq`9&a;*ciP>+Is1WjB%2IOvx-+8d!2&x9?YDW4!dAd$(#@z=
z1aZ@&bH6t0JxA<%V~txsu9nJ91nG9DAG0zHVKopb`ocUr_J+K=(6jE1e?3de!a1tm
z$4h(eGzyFTWAC>ffYWrs!ChXxId{=3P^xSu-Es8@;`8O)JNC^*SMYzy)S4t*lrlv(
z!f&b#ji4tz)&6>762Iz_+GI!SX;%G)E&lN1Dyv?G-k*9-?V|tbY}j?hCDxpnbamIo
z%h`Tp3ws05Cc&Ewg*zw~m%6KK>_3&>E?EKx&{hFB`wr)B<Jn&*l_?rqsITdg9NIQo
zi<Hfl$8vE%Sz4IGdHe~i&H5$(f)b4_oVFdRplp2u!3)%TId#;Ja`<-E@Ag|2>T<Oj
z17{pJ)K2miEKh1ye6_@6dGY+sHGeRCx~AfTFFpDY$`1R}@uJr#Lf43%m*ft1CG_HQ
z*U<P+*G2>wmGh^VPYFjX35Fwk!2=$3^Z+F1U{$EZfC5Hdk%MJ7<gE6yOyyb4mw@DF
ztw~qVNl<K@QWU#f$M9CP9%jqmq3SSC!Gm>^b~beTwL2$4YW(ZU=b}DD-O97=LUcM8
zg7uTgj~+YdB){X>mB{Ttqwd%DdZAV5K%dtWEk(0DMYDUthX%r*zI{x9(76zbEF;7a
zuEZjtF9P94<=QxH?<*Otl?g@hwEXIwn8M0G4n!%AX5140a5e`|ab}Loelsx$727lm
zeZE(rc)jkIy__f!-P|2b-ZQFMSxU)U&Ej`|N5yS_Th~3xAE7vBpd%B;_%wTQ??WvY
zbYUH7M6BCqniF~d%S^>*p6tJV>K9g#1eJW!rt<HkoAVYfsge<R0@ot3OgX9C%7JL!
zkzSl>Z6cpRg;UHWuFn|EOeVocQ7yIPiY$h9lU8<W7A#UxWLdJp3=q?~P#?d*Ssu-%
zc<7-n^ETZ<e`0Pmc!egO=n(S^6EA@P9%L_Rx3Dj5QVYdakH-~bI3YeEaH}Pto2^#7
z`Z+?;D<?yYZRv54RyxI0+tS?cWuVpPMnTRWI1E`3qvcPt6HCb(+e8I2bI`ShU-xGP
znlK8_d}U?DWAHAD*W+~|SH<p9j22UWjL=o@+rkye7jpMEGg1`=3U$C^0^j$>+h@#W
z-}lV|z2DQ<#a|{Pvb(3ZUC-2y%cY&~;BV&BPe=MNmo5QnE>N+bZ?kgG>COzTY4uTR
zS4@R4H>m~O1;10HDEx8-@H|p(^|)PJ;$H>sNv&d3#+Pxr|2%Z~Luz0zzY^nAun*@T
z10rQL#vZ;srPot`g~JMS3ig2>PP>+bMdAHfj!Z4zCV0U)v{;;!0ay0oBjfX<#!(Yb
z5}?;jHJ-c+qi=DAm&n5O>x^}*g_Nd|K5Jx{o{E|ROep$$Q&h1WRGtOIGS?^1Y>76;
z&l0!+G#lIEc3%W7SGFJ;x(n0WUWV+P4{;Yq2oG#azx{&NYpkAeyp+ELQ;ilAP%f@W
zie08t_gjEAps(Wt%Kk^52EL*Hf;=vEYwOq1IRf$QbpN(?-r?+~$J1I;7vc*MX=51j
z;v}F)&u+7n(7{16hdOZ<Qa#}<xz9y%zNBg1xGNDz+X5$c<5OV(el0bgA*nh})tu~^
zRK)G#%h04S{pd8oSGCM0R2%!(Q#_voEfu<tYbHtS1X$E7lNc~8ypqpbiPP9lH7ivR
zy0v^ydB5e)9W<E+(g%p3Z$lIG15~R>FQe0$_zH`Us^DC8cFS1!l~B#sYHEGHc~zd$
zjGi>KmyNB#t}nBq^8wywoE$Lvj@{f96dws3GhgpY1Amv-<_6{lZVElUZiIOCpTm)K
zA9wl;Q8S%8+(|Fx;3vGjg_!XRw1BCP&fdPvH+vt3gSUo#ngeYC8h~Je?%zXBTVTky
zIz%z@!1Om8WuP%D@-*zuBj}U2`bQnF2CmHT&LV`_&03`#C1f))_AUk98H6Ml0dqBM
z1H1rHpjm?OnI?8_>s?T1a0Mn4ETXYN$PSMD%5!q}AM%b*i|unh{&ML16kus`%P(u4
zx}Rcs=H<o)u?`(P5m$LbXFxvSQ48FK!Wf3U)-`nLbM#7K+h644xqVSCjC459Mk2rL
z8|E>!1^V1extuUsY%>Y<d=yO6vM#%1A}E(FQVat&q5}h?W>Wx#vg%b+BPMvNgN+mf
zdr^Z*ObxTIhOPC_s~vY>zk1*bmF#g@FhW)JnRgy=N(LkS>b#NVR<mqsfqT_QVN5^w
z{s^&hM?ZxemZ{%pnxrcrzX2I=K*m_RRr3VR-lcz4*ijRWF+s(&3+el!H1u}-tvyVg
zrUk1X%ezbNDsp`hl+Qm%-(0M~Z+4$ES$cxRtav<?`>-;DNy$~LI3Plqjl*6X9{3rG
zFJUlE#CM{>9}wUW^a#6U+E<(GVV|=?ybf4}yo^aQ7cu96s*KH62DsaI0^0nR)dkg7
zMxqCz(k;}SJ9TIUEb?w<!sKITGnEeyEp6>7FT%^75}<OEi>E(+id)D~U257#j1#0o
z6>!h#vv58WXCx8gw)^R)*Gs$Tr^lAy<63R@a7@56pz6pp3eqpS@))LD!kt)egl%D|
zLN1%dnHO{m)=xMfxW-mmHs#7bs@*I60Yb6>ghIjmGQHaanukDnhoc<!>AO(Lqkb<?
z2v+_$O;K@!zOXj(6l+(4wLIO!>dqv2+KlTjcLNOe9O~v*3zf^8V+_sg|74$amRF;#
zj|Ag#Z{dEP_^8+-<x)e#j&Gh+4RwI%q51aa<BC>QcbB0Fu=+^5>Mb&2HC47u=-_vm
z`aPLTF6)ovaVdl4XlNIF-EzoMO9=hmy(MxyZKN2U+@=<WxoXSf$9$u_3NS}Q{az+U
zF?noO5^J{UMpR$%&1gMYNuYJ?@+yNtyDkPIBpS3%18G0T2Ow@Wr}WR=3Jr%}9_zI{
z?Upo$BPzS7hU+5zYPwW<VfH&ZtB#UxUG<~zHL|wpo8bl!+6E1F=U9IA>aQ;HCwe+%
z!0p>?lO9OG&;77}aY*fxyq-05ZCZz^NACIp-2?X$E9*>bv>rFbjD&=hD#UkGd%EKV
zQGz8AmXu%Z4~-B+zjd)ZwEHIfYwK_ka#8ps9CLlAd5zU?)yXckd2&vp;4#rBSY6m8
z(l-WB>$P&jcg8nkr5I(l<62HI<hU}^<1nQZZ<)`g_*q%X*8J5dwNN6G0CSSNjv-1+
zTzhJ22QaMe37~Fk&Eve6rzV_9Pd1M%<E3~WSv3FTisM`sqvBvq&ngc3#W$5u8+|eC
z+J>wK9I-B^`PL8C<?efa2kMJ&3jAOFJHA&&aftjPZi<KuuG|5<o_mn)X@-RH+ln@8
zj^rQ%x46^dEst#(!vur?ALngzwU;y0z*N6Wzxle7G?*TOcrQ*36KTul3+X18rP|EJ
zOZSZbWME+hl){+c02@!DK!`Odc3urjXC<^WLaKX+-^esgzMO3Zht6;)h*QNm^tqy4
zyJ{f|dR(nFnwGE6T$B^FVFvi=eAhn!GW_5?_<RcWD8hV8uA6hMHp1&2olcCj^H^x*
zYL2JrelAO&r;2DK+!Dx#wSwP%iJtwI!h6#jU%xsRDfXbVG^pFA%a^E)86MLGH_|zM
zMUo8-A!jTH)@W6bR56t)*HD7GDAPOtV(1UK8C)^GU&K3PqZF35M0?Apwh5*>jF$eA
zO{wEAhBK`Bi3GuC_$F_0?<GNG$Gbk;YsY^F?@%sb?TQ3ves^g};f0Y?aNGf_k<Dk7
zpy#kIaa}FZm{J~9x2E8o@3H_~KOmX7f}b_2upNywY*Sk|<*CXutDu*h!gG8L=JxGv
zc~==vfkDQNNe;V+$C5BUV6Q|co1@o7ptOQH*2jw~(4{C@n(_A?f9>Mo4qHaNk=^()
z9g)awm}^aBX7khD8t*w5hMD|TwB68WOdI#>5EfWacdfcsI7Tzu(b59_g|PlR28Zvq
ztS8OI#G|B<aO>_#(++7ThN!=j0iDMjS-)YPlS?XnTmx3QwDvW_y46h4;r<(K>n<Lt
zB||0XEEhvz`|}@jeCG_%n*POy*E~I`YEch%WLPWC?ErTzZdhxrVc2(WX%Q~TFUhCw
zmF)v73gurxQq{walqjQfJ&V2k3p|+(_pLeBF$=|NHJ9*#bf)DiD6_)b>;prA!Ysc$
ziB)L`lvQDUIJLkWa@-;3uiX<!I@(1XZ|+R*{!4?o=DYUFTmhF57cbqMVLfn&b;6)L
zUC;-u^U`9{Q3>roq}3@DZXR_5B@@n0E#FIoFsatdQbNbZPh=cV<EE733AUgn|73>;
zj2Jujy~8*(Uh4m}z^sMZ5#^wV7AeLYoG#AwXLxC@ab+v7&8qf1OSY`s$Ow4S^}b=6
z!+&{l-M4omPz&;qKBgY#u|x2C=kaSn&|}K>XKdAp_9f>L?m`bvRBP5p&B*fuBSZWr
zYf{}}Bx7xOah0wyrRzX8?tm2yF}QV=&$i(ay!G|lvqvwlz5_}$3EBF&$2ekrFIz#n
zwziQwB{V%*!>5(&y!kCmJtf!i(iYOSQgL+T*i;o=JUWox50ivnCMrL^<aw*)_Ht6g
zJ9>cAYlnnW(F(QT-aS%)lJzjNusaRU9w_kD62ZGK4S-Bz$D6Q&aRx>V_S{o)AkA)y
ztW1G3$~#fPEbCqmGN1lwi{mf4C%z78<>@iC)e_Y|{mDRo=7_kU1vV!b7ml7ee9p&V
z15j#bdQz@if7HQzXq1+M?ktiLeiMOE96m8#_%~ZxL^%;EkA8{#y0%A(-4sZP$wN<3
zmQ<odA_f|1m5G+H{7;y+`<QYtz&vr#M+AUv*61OS6qG5Jpy)+G<?ocnGLzpx%3(>|
z$ICRgnmK<cLO?GF#8~4C;s<A_?6$2FJSzw0Ai%e5>YRIY-L+SaRplK<fV^}~r;;fc
z`fRqXfx@-feM`h9t^j}Pwdm_X0y`juRv><#X0v<%e}ebCze%3^&jF4C!CTbS7yfx!
z32et<<hT49G;4VO|42Lw>p)e(BIYD9147x)RiD(`!`pJ3-TH|UIF?66nryLXm=P#k
zFH`#~Pl$qj-0M$BqE;#QzsZ$C4NaIW6=hlv0cjg4R5zGENw_NK5`?M;cU(8FM#R5k
zuX6t8pn7aWv2c2>6PDZtl>eoY{Diu-uNa8C^vRnjrDT%oj-)Iwt0|-UTxoF_Ih00H
zR*N;oo8QuJvBp?!^4%#t<Gt48+I}m9jLs}>p0uu!gqjiz_XSK6t;#i6Pfb>5|AjxI
z!3{<9mQbn7Mbo|c7h7iHXS2q;F{Qp9aTHd+-0>$D1{nmdn#6;iVClwkVussJDb%v4
z2Vdn*d^d&FXss>MZA&8<>20_xqb=5_sNT6DEC1NB|Izj%1@mI@VzZiME#rj;UgeYN
z{KCs`O=rfjp-@}OjlWDSm6d+^F*Y?>hJeu`sWRob-l9;-#LAbtNW<)hDh<}c$RUE%
z!d|<!X$`Bp2x$(d>Qh4PDeb!Yk{<Z;Lv*hSOI^v9YqC9}$?CcSTdM8|CS^8}9=%+~
zVEz7sj6EE@^eWUw<@oeqA-(i+lFT_=f>aA1xr5Hinbq(1^<$9jI#*TB<3(KdidGJO
zYb857IiaS!ly{aX@}Q(gBy0trdy%=?J+*ku?S25JTa=5U_ttmkdIzA%0x%m^O_cOQ
zv5#jf|Dof$V$+t&LHq84z2To^mC;q%1KH)W9;AK$@wcYf0jg3fKAp~qNL67n>erf<
z5H*OtX_Duu=!dUA+c@#8Wre%$LHW_Rljk?_Xt^d;j&8Q1PCe{8Lj1(ZQ4N)0o9LfU
z?68rlB#i0H43o93!i#yzmQ;=He!WKnX@w#D08oeXDnUN7s>?rOS8;Pf7pd*9yyO83
zI+<*KCsx`A5?5Xs4^+&pGE@u7gv;!E%HyEwK^`=^#G;2@X*^7a`NPgV6Brj(w_(57
zHnVBmE<_W<(rK%kBg7lF!=B5&^E@JyB?VYmsiCi5fm<@jEM>1bduwt`U+2|AcvP-e
zuTYre&B4kpdZT3`rX8c7xvY5K;c%1{Qjot00av0{+_{Bx-k9d+{~4A%FKcR6{(5+P
zkr<a21Kz++Tt&tfhI-JaYN=Ayxv#&bI@!1bpS~f%z`nng<zV3)N5|GhIKaT_$-%*t
z|6lJF`v3J_0qsqkF8qBx*QFa@wEpdJS>pUP2Bl1!nHpRh20QP|nEJ-Ct!;5rqtC*u
ziJJZhzBK#T3aqHwL6r$2yS*^@4i?!mFfh<Cs0%oivyWe3kl$awN|C%Ik9D$dTSkS^
zDq+tW89FxCv|Vg8OGk0i-0(ND<<y(DpjV7|IrssXA<u28btc(4<fc+?t&nl^MVC~u
z#k26PDxg{cD2}Kh%zz&R);R|fL=NG+_YsAEvP(ParI>+As*h0bn4>Zr1*P|6oSOak
za?541TRIPor~&(FWVxj>`AEs9%riH}>83&Ltj%oz#lM5_iWaY*V2@6`Mwpcc?1bUB
zIm|gwuf~2t+C;g>dlKAmE}H<@TR7Bfc%~><zm&Sj7X#p-<AE`8n96Lz6?~HHBYb?M
z34bR^WeF+j$qVUts1;GrGN(A5RmBSi>fO6bigX|~2$nng3h|8V_ro$pi>1o4%sw6@
z*M_xA_yGrme!`6n>CWEnS-@`PVXZ_UvnJu_Jt@NV#B$rMMy`IH?57T~BmjD8$Qn<4
z&vL52(&GmKEG_Z;`a@K6Mh#NMy;IOD|6RobvA?SRJ<-*Ij;cBvn5kurae9JtZm17K
zb!vD?d%aWGy&>@-8-e52VIUeO3A<G;=7LdQ<_H+<l9b9kYB5YF9E^AJwnGuq35)0+
z^zV~4wOsu|vR=5Ku}@D=v)*xSe04=60mc&3#;j)3Xuj$~bvy=9_qvchLUk%nc`JhB
z4g&KZD0?(RHYYC@*`?kQy`kHdEYL#ybx|mQAl~p_1122DBGFV6XqUIJpwKM|qpQ;r
zzP}-@Bg85Y99iF?PjJ;#kix!v3D>RMgUwHC+-|$EU$r>b<jX&X=E9p;u`Y`J2rZC*
z@Qg~zN-eyh^U%h%&V8udpBz&($8G;$Ss#OZc!Br%usY#c_wIf_yuDhWJ{?>3o(i)2
zmOewi1tJ`f#ou4@pIUBUdSOH+MFN}bH8J*h;yvbmT9pK4My42~?h%@Mw?5;UulOdQ
z&!`0SJWrMww2&k9!HPzKq#{s~-9iSD%$o#RfHX?Vf}=EJ|9*%~K!13p_@R{02vau&
zV4(zY2o<mFfsFwi3cWD}90YBOhY+y}MOb^VrxguL&Pm0blPUJc%1r{(56C)E?pc)6
zMaZvQAV2A|ibT*#N(*33Vw3SoNTm+=3$9vqF{4G;WTa}isO$6+auReE@NmhiCz;82
zVPCzcOT;t|wWSkAj)lI2$C%HK;ZAl<lc~mV-IvV}#X~i+?p(;eLVwJ-EP8wUe3ZX8
ztO%@szm#vBzcO`_@O_=H*!SI^9n9U1EjU~szErLpg@cTpIY+HRni%j*#7hCl#Xp9`
z7RPX9qE&)aa}`p!hlKmFP@TBPhNzH~JdphnUf#D-797Te`1l3iUS@;@c=>(6{qy$y
z(nn4BMZtMxQe>pdy<rHm%U>WWX!m5C<g^R+yx@A2O7z^4s4&I3G5U%sTZg&!hs&JN
zifE=>2oIWrArO*<xv|Gn)@H|OMpDe;BeBRAv-d?J&IDqEht?dbIDQo8$vdyBX9>u|
z=)_DIO_HFrMSb~4z7NJs>3&U^(C3YKbE}|j^457*E{R^x8}m~Br0#jLoWsVRVHPuO
zjbK3lwcBIDZHT82`=PR770TdI(^C3Yg(q7RD-QkzPc`~M%L}LGm$b>Q!W0XO_gKD%
zR*~|fcd*SW)0plHw~3}xVu5s;c|cs4K)DNyjWO{vc}_g&P9oEShdi^0`CBdm2K;s%
zp9U036N)lKIL;tE>J_hsg><JQ{1(eXj4|`nV1+n@T1?Ynq1sO?QWbtnnvHy`ER6J1
zP#WuilrlM~^pt$0U51(<W9*zg^Nl(Zur4M_Kfe>0^47N`Dm7-gWq>6=#KnyoAwmpR
z)WiS?6H%O_^kUg}a>tM#x`el#?Vf^r9fG4b4kdiFG+{42JlhGugN2;=j0r=^`rxf=
zV98%;XJz$O>;GEk6AY=%{vac&iS9Gq0f{0MljfP7v=}_H(Bg@6OV^x~nqiCv@P=?E
z;A@&V4Iz3iHg-iob}QL^3ix=bFAu?;JVO{pf5DxcOBjABck$LerX1Q}lxivBlyQ$c
zV`K0=0}dsFJx5L0<(<3d6cum5#&U?H9G8XUZY=-}(y(%%oH_6YZ;e@!43R*6n7s8x
zx|gby$U&np(W>X9JyN1rF4#a$A|P`{#%}P32@Td6^BaS3Q|ce)sgMBmD4CA4W(1}X
z8gld#9hX$MRZmqmCCm0$2JQgi@!0>gxDgbaI7P11QOU9t9i7TID1UFJEjU(XSo0LP
z)`xU5weFoCiIZvLaq)-Gcv&}~o>!=H*4D+%^Js`r2zf1N?dW*5K_^Cz-L{E$OLIv=
zg!n?SQtu+f+U<-sc^UQm$haSh%y?QJjh!_0iphs`!)xVTYf7~TH1H7w*Qca1)QYt=
z9R(RC>D2!&%e%bukU}amsI8gT+i7y4bUgA(b57=D*a^aKEjm*7_)!m3j<nO69quA)
z8DJ*NFosbY{YNrAg>jvCcD;@Vf3k$P@V3x?JfbX}?pJxgheE`)zwQQrzir_PYCMY<
zsh@u=dAC?QPcHufk&EE%d*}a1lEWC}&KWfQ>|!RST2VB+;dg3if>2U3BN`cIiDG`X
z{csbfGlWu!c<l5v|B(yB;(>&mb~KK(SddzBMdwlM;A2j89R5N3Ks#d#xeC!BNyaih
z_P(u;%8lHJtXPCTgE|Pe!?#ZJ_)`Yt&2;+gbjj#lV4s{j^@?;&@F(>-X_|^4tnZ(n
z0Vi-a6;aH{0RIrxAQF_ufY@-aoB67es((OcV(Z8}ig|$w!|iH2-GZk$cVxmZE$N&|
zZF}7S!Z-*CI_}0niga91I8!Cu^J|)+xZGz4aRDUe6gg#oqt65)HZj*>ftI?oyKrbQ
z+MP~tEm?_9yb}9R_UG(MSeR}jVIldk4K(K6;BV;(@6pD*GrKHwu%`A0UWl&VoBaIH
zwzM>Wp!gxfyp@20y@%EeCNzf{@JJanSPFh;Ms7h6$QHhK<Hnb}b5$P}Fw<4Ps`f7e
zh>k<xKef+1b4MC|C6GEYOs2Sc{KOn}3Fz1*j#)A{MSh2rop{AIyMn4nVWtqAw&kyj
z57xXsuQE3)AArLJ_I^<_jKmG?2^8stBl?cEDt36vYo~STK=v*3Y;!Ps`k(Um<5|;T
zMXQlfI}?Y+7njuoOD4+QkIS3VXutd;n%sF=C2~y(%!%|v?9u(uzs$hLeB50y!U>^Y
zC6X0U4r0t)i73?wNt6auRxdz!kUJqg=dmn#LOK8Fhi(%uU24xt)s6Gj-9`UyGpsIQ
zNNz6IId&kvK0UZ=NZDpW0f37d6uH+wxs}z!$1w7%8Nb}V&D=JE?Z0!*=|*(&OVg(G
zibF-SajJz2R*KDb^^a+u7U}Eha~P=Ll}$kH`qX@gZu7m<&K`Ju?iNWan+8P^zcU#p
zpAHPAx{RpJA>@AgKgYhH?*3exZQAg<*|BcizWVxE9`#XFwZ(thHML5bdEA8cjbmXV
zG-xTZL#rL58>D*Q6X7Q<G2@qIca4!gbwND^Bho3N$DgY}!R@BMG;-EF$mR7v0D?e$
zzc9;jZ;*!5`$ZE~DXMz`ukwyMvou}cc**K6^a$twPLj#JI;a{1>7cicEoK#Yq0u-B
zN8?Ijt<I1z&TyJ{dcAvfQ7TZ2MAxea7_eAT1%7q<q<E2S9;++Z%_kpVm+vO|yF|!Z
z%I1oYb)iXppHVC|saNl4v9$RT@Z}G~dq}3eFkf{i;}ZI}2!U(dKMLmIC@4<d`%!d|
z29xT5eDxVH!Z~!Y#vV!rd|Hs~JFks{co^ZdjmN<}Oj34tQx#V0U<2$?bcw-Y-ref<
zYXLD^Le6dA_e~2|A-@h+rK*qDL6#pRgV}~NMVqxUi|Mo_jJzVt{Og^^?<1fWfUui8
zuJCPES5E71H6t94@-f^9@@Pv%C?BWEHHz^yg3FKU=QaD*fib(%q>phdE=xdRjLd8L
z&TIT08wJPKk3Wj;endWchl8s(!4ze){vZmn3|)`I!5Gnbm(hD3U@tZb&^(A{7%pE3
z;#+iuZ&~GGf-?muK@Q)9S&pv9I7R{N55vO->dy$)<6w?6gl~dD9^IlKgDXDLVHgML
zEk{RzmgHlcUWb{y{s5^X_}^)e1{3s!-(7LXP(RG^M5)I9e0j$OMV;ReLhq&^R7}z#
zPEnpPIB++EHgFrNP6;{whJA$w+%&-m(nM$Sq6Z00V92gr$>462FwamD6N06q*#yT7
zIO)2N!+6Bd9V%3UTX*<R%G`Z?5zL~TGadF84l^MHiX_4v6X|S_Cuv<$w1L7LPcpQJ
z#631!`h?16Q=HbJmXtmOq8(;U2?^~fjPkU}B!7%>UcbV(Mi*pieFxyiK?dbp=A?$w
zjJ9r=UDGC>F`Lz&DO_1Y$I|3TxRETFSoG4H43;nn!h~0&aE@b?(0h(TD);mUTmllH
zPx%<fpU?#7<AmL@G6-S?DwzuOhMqn~L6*%X{BjjCsbDVgD|X6f%a3<Vrq6_Q=LyPj
zmN(VfDI3L?ev(8ui0{yuG9KEFUgZOud<ta`?kfqiGgc4nv9{{HEQ0E^=!YNp9a*d@
z+@3_~MQ<Qei<<-m>z*>H{X939I*OL#V+{-y(V$w4UtR+WBgI(~%`r++l){~eI*%Bq
zr|hz$evsiIBAPq7W-5R}+ja728y#L4oqigO(`161Z1uDm1sT1r?-SyS+bBSB5^u+|
zC}L98&{PY(Zb{s}l(MTF`Ta9N&IoBBLN%Cj9}!cO(2VPFxGPIjOR^^o2}U<|!;ZVp
zW3KN_NLuS4MnReew|x9?y%ZU`c6$zV%CY}TCXmd^X9uO<9q(I%27kVoxk~p0TR?FJ
zw4yR~Nv~=YNYI;>Y=~29);cU3ufzypLphTK`%9)G!(l86pP^mdgE>A|2b`STjj^GM
zdyIm9GRuLI*J&`F;vrLp%)AoUhuJxLXA;{i;_5Ywb3DSS?6x@xZcdp9flKEc+$6XO
zC$kBPXOliofm>W?7!s3!m|Qdshz)0VMcJ@8Y69Q>tv0S8yNw4fvN`py;E@~Y5sq;R
zy@+ldkR3XC5?qP1PG}F+8EYGYXj^U_U2is<19?U&GpkV}tzE)pD=*7x>+)CGT({uz
z{z$=a>ns=g;}4{w%^mUo*+V<Tq?EM$Zf}pCU@O5IWUH=r@cz*UCz?xuupAZfRWolo
zU#HP5g^N#pA-sD;qzOR6D)E&J{O{<z#)bU6hIW;onPNl>Oed4*R9Xq}lf}g4_nT3h
z7zYy!s!@=-R1;@;8pfkLXyz7u0LX4=({x3cF~^wAxV32})=MRDhXP`Ord#oZah2kk
zW%&Y{N6dU;zEyL5fv-tqGY(>U1)rm*h8rYjF?D_dVvmCu;hO=T7AbwF`rW+REgbxW
zc+KB(?0<ICQ)gZ!YBrlcZrO%Nw?n2<C^tiJaU;R%fa{PwR3|gL(hv!y6R6GK(cbHM
zkd81#IRGnVnW#Xu0@h4*#Fct}=2Q2Ep0Y+kjv^dnIr{#K3FQub|HW3wb*r;G(460Y
zAp^gwZ#B>;A>b4g?>?1=t>%FKW=+231~f^G@lYU@<6(W>dpwNC1UnYh*6YkfHkj{e
zJ03{)0bF~FEh@l0n{YL;e{#qbJUE*)y&B!3IFa)ziBSgvGMdr~bB<{s!j(kaS=w-P
z1z9zE$*8#e6!c4;!Zo<0Cwj3e<OQTt7p7TG69eqpRm8{V=p|1e6-BfKk52?77Q)lq
z6m)kHgpm>#u|I;4MJ$Bq#ClIS`=QQeS3~nA>yB0;0JLaA%d|*Z{M{)^Ko=J%MS~z8
zj8T2icRQ7cX_+L#&FdhI>z|lJs=OX1IE(+1qYUE-+(SH@!nMd6%|N^39H$NR3H`+O
ztrN;ZslhhlElAE0pQ?d4iq;_91l@uggz27Mz(hfqQ=~!VD4?ju_$G&1q~DAR2oV7)
zR(7wg7Mjr;fzd2xV^)KRAigDbv#C!@`d2!`5ObCtBNgppwRWD)T$Q;)?BKipz~%nO
zWfR^_aI;oX|86&a)p=1oE8KIUY)0tYwzQ;WWjc(Q&5U|CVU`ogX41y|YdSifUJ{Z=
zg)L8r=m)9lkPt^GC61DGLTDIZxd-4rSdoOtfGaRrE}UvEJ?oUfJ8XgoeWI9t5~$L<
zmnjxF7>rSJp@4+jorSBVc~=r9CB<TiBig-Ef&HDS05xjLIcy|8`Z!AB5g~7R?uJ%(
zcj=5+sJ#m_q5+2d_H>RD<@ZUN+&Gpyc+#4OSt28o0B|KpDo2^I+l{j&3$i=0R5Oi&
z0j5`%55p9)>hV0GCo>&rUpVMn<^2K){)Z#+H%I=(r)1((Auf-UbDqj)$j9^K3TO5_
zu%R-Rg)s;_47A#XenT7WA>sIn{%Jo2PBe3{Zf@(mzNVyt=`^}!Am6YGB#1ihUpA1#
zuNH7wuaGIKix#F+UhDxX>Pt;=L^vnT+3|IJk|tA}=C^1Man~O@Yxcu<ST|ps(9|1k
zRcS%KQWMivm780^MyA#1!ofAvAK(<;8$l_kMtCCqFWLTyQ6~EY5I%8j&K1^z`ROt>
zV`vvTH5UW>o@0mh(3iUp4v`nM$y1Eg9Jo1aGnfzA6c556LW3Z~SrhrLHB>Rrrzy^G
z3}lB$UG2#|`<+3soIr%^SunvUVyb~ZG^_-40fxwx^5-LC{3V8t&1X=aL!1rLuun1j
z^1m6z%8a~QknR)ZI{)S9E?Ul*=?Z3fG70i<054(Sak&kW#Z}u>NZss%(0ZIEaWbRa
zQx=3AdbWtPN)A6jgCwP|7#V8lv-Ld-W+@xx?BPN}U%bFmKY;^DjXvAOd5eb0TpN_+
zwwA)UbMxG=EOfxCU1_;AJ5^<>X4mGZ^atUmspg5o90Y?gM&fNU)MnS?Srn-Xn5tIT
z1(xYAl|Y1X^(jI6jG-`1lWCFaCuP7Os)qjfLp%XQbe-SO<BJi_?T#AU8MGrj;`D3K
z9qv9u3yR;9${%dM*@pUET_1<N(Lg{J`yr~}5)!i|Z5}Rgd~5_9OW<;OyCjW4UmU}n
z_m~BEL!3spWV%tIYa%!(O8U9R;yo=xD@=rZ#Vr-MFdkVc0tHVllypRkAPnH&VMO;Y
za7(dGEQOql;8KN|<+6!CPEV<F#XM0-+%OPyWfMdgsXGgG8E}Kx7Y#*FpJgOD6TrQ{
zX5$o-^&&}|Y$Zim6jtH!7bdB+2y+Jsh*<GTd$u;J(>cU@E*k&xq%5Ri1$|7y43qdT
zIl79IYm}sDK+G#Fxir~U8qLb95RCw>f%?fT7U7#M^~FP`n-RcuWYc|#tV6|S75e<U
zy*&gwG=BKO5-={BT(AD|2dWUkiuoUFp`|v(QI<@wn9(9;8Sq!P*ie%TDX1u$^|yHt
zsL7>V?F*&^$224j0IUP1y#&bqR2ii9st%9L`CBE=i_GTp+K=b80#cGl0Cts3X}b_-
z#1{Mri;me;i^*0;9WW@u-H8^TEeb<b4J{QW!~52igU%9kIm;kmy$;eLjFaw6Tzu{@
zXM$QjL0mAh+-keCu@~WJmInO@(@Q=anJ*mACRndxS0bK*QxglbY*<*cmg#!XzYH_3
z6~I=3a=qaKZo|HFr5NR|w<_O3abF7hEre!{G;=#yOjz&bYgJ=ekv=VLYSM%=+Dssu
z12%-zF?QnS7x}ZN_#&zjb!cCKLxl4Z9IAWQ+AF=6Wl>-m;RL4;Fs8vk&+j4s<dCLM
z*=Yy_Xz?(B?m9>vHdwX2RPE_$VpwA0d;Ew+8sb3|q<Dx@91OSVX6AUP0gRJ)TU8HD
zbij34ii3>AW7nAP%r^GVn#hT~54@N(Ph?OU##xR7NNdkvX-t&RG-7ny)F6p1iO_iv
z$BDAyH<)F4GEvii@XA3lbPWjcXxtRAM%_T!Y%nH~C*SzVFZ%wZA*R7+JM$#xAkR3-
za5TqkDJaXyCtvZgvgH~$g+>r$E3*1YUvv@~k$9*YN_8cG032d?*(Z)kTs{v29S4d+
zrmZv)msaW43SMm|&B|wLGmO(^t8yVkZf?qGHoPD)5+gi^cQyiE4Uyp>{irEGVVRQ)
z@y1dG79(YniI=j{{1RP>a3_y^ME9r()RaU#!3|b9tiBrZKnG;1)E!TgVA@2zSwF+S
z&&Z&}vd*VqIDE|@eQKaj;~-OhCMo*F-UPxQDnL`5ry-sj631|sa)g3B$CGIe{ZVKd
zZqpRc!(^64x7)#Rh=+1y*GYOsW(sEe7Rpm?`uT_dkz|n>evX`e3Wfdo<_QXIEd(Z+
za%@C(g0G7*{dBh+%?n%nqT9fe7+WVx*p_u5t_@UO!y~N$Oqc_dswEGWj+A8us|{Tc
z{XK<VXzy=GUEfsXMg)=ag}v@gIka9=Z7Mr}vltx0mU9U~H@S+aS{N7|YYt;mZCKQQ
zaku(>sOp(@X*61>SJ~+u-7WA6<0&FWUTpCg;%SOm#`HR%FJc}C89hE0C8LqLc`1np
zbhV#@B|4Z^>M1W)-j^`nF_7khKa~^lKIC^YT}iaFK8wWQjJ%~1SBo0omFJWg7kPD^
zR{X1~?3EQC@kVTW8ge}q=CB73UQ^9qk)4SZ9t~)iXPP(OKxshy2)YRo-VU6L_hM%_
z&chgUM~a^Op_@wr4XW7j&d+ApxXObpCww<|PLC$gmtretG6+OiYytg{E5|Kx2)MGH
z37I_UqHPh<$*3GIVwBX1*`NCAap;?E41jZfh!B>!9D{KX$2e*_``~LPgcFKZRr=Y-
zc@RdKvT>Kzm79eD2RC@J>G8*{JMER?uAY3kVa7f&#FrpYkoLno4N~<4AAy{?Kq`(i
zESGTR8Q5Cqvz!E1j%-n-qL@z#fv5l}Es8OVg4|8r+Ym=X6)|)`roZd7rfEU!y_-Ty
z)EQG6j8_ef_Qq5vs%aPwJ8<)}^3r$L)+3o6)%2KEN9~TMUiY*Oi2Uf6z3tEepWwm=
zSx?==KzyxX5j9)AyRGt_{0(Kd=T<YzgTa+654;FAMf<iKi4QlUoUQquD?u+a1E7bx
zTNV>joXw)#SWj_mWTf@bo|p}`_&IoLp66iO4{>TIOGF1J#=(}<JiMag%Fj!lLVM-Z
zBm+onARH|H;RoeZWu2B%KftsO!*Ce?C7073nuF&lrah$HiONz@X|<ekt*i(~w+$8+
z6PGhbI7p*VQyK(F9}fZ+c&1pKx{ecRmcSNVq{)Pa`y6v)?;)8f4k~<S5sN%@2whQz
z#a0=21Z^K>lOT%F7)MijDjZC|Vn4WM<%W}6Ok@1Sq7w>{X=gV9!;0#G(9g<+HN;sn
zfaM8s@!~Avfrh{(&J(JX=|M@c8##rimk=Qtz*wEFrmmy86cS9Bhzw7;Jaf3V667bD
z@-dF<lWgRuLbJ~%8I6;m>`&Fl1e~P{8jPd`-4NEJ0R7rKK0+yGTT7@f%-jHtBjQvn
zVB>&C*Hz%M*qClUf%Y(Yz=>g7hVl$Y7j9z+e?(2Okz4D&?Cc!i^}`SR8}Bo@pt>9V
z@drNv4HcT4kaX>d9-MNoY#>4OJ-w~1$P1V9B!u&tAEQ~!<8MaLWB^;|hsyae0n{F_
z#%4!vA3si#&+l-*%TENJuwC<~z_5=W3zrdWM-=|7JpA2O6BIe2c9Afhq+y)PS<Kee
zne`=1n^D!HY6+L)27laWV|LHSK@diCH3!-Xmq^NFil@=-c?~4qMqk%mP8;Cz^;ATu
z&X8WGp(v=@ZAhs`*Fl&Ynk?cwK^1Sa=k}ioOyM{~+J|~pkfFl#h=b|;+Qz_C{Fc1i
z3QQPEUERAx-O<?LBASp|E%X}a?2HIq(-zrM!40-e>6UJ(&<EyT(@-{WZ&@ck6<RaN
zQP1@%!=m!kP#<Wg$?qBzFLM*o@&|fbEfR#$^cap&oWx>@fK!3eAe17b8a_BqLGxVt
zd3R<76~W6Bxd8`uh>PPlO`}y0V>Hh5X|~&Hjlz69>o*6<q%}!Chfx%?u5n)sQe33d
z3bSm6v)0a&N2d5yP(;(potLM_Z@M4BLx0ol_52szj~)N@>$cx{_3`LfdhM*x<xe_J
zBe*4Zr8CrutjVQwkOpFj;7hYo7u!<MN#Z$9b9PQ<j2E!Sv3^_yJSb-PxFu}rGX{n$
zLmP@LBfp+BbI?o197OV6StI+5wLRnPQ;Q80Ov59-TL88{i?pXby_PzR_@Is=YBqi8
zV~7vw5aOL9QL)?sL`^z6eUTw|>1MjyD4s=;wNt`<D9An#WSD*!*mRbS>jDF#f-aCv
zMdP~8K^5%5XTbrPy8|V+tJ)c=YmEEWgkQ5O*AVJfmUye-Y(rE|8VAu5ZI#jOI{2W{
z-?%2!VhEcX_9b*o)XeKaw-h2OE%KnB8ARCxlIBfz3m~cTnSSFTAY3^5M%iL4Tfyb<
z#&`-SB~aLLQ)Yzo^#IE51;{3Ya(7>InuhaWaH|s`#`$%UURk$S{&-&7HOW_matd$#
zxCe-9+|R;%c@Xw^mE${X51ZyjG>m!QPzl7<g;W;GDh}PvfWFgqNB;2#`i>RIuiRB}
zJZgsOopbh$iLe1OgDc2UHcn>IkY1eE$0$kyc2{D+Z%agCXia%v;vL^m(VvA8q)}jB
zTreDxc;xMyeX;5uq;$6_>GL9tMD~0Vu!CL{V5@~bO_Jd(!k^GQNJEGdgLx1}?A|m^
zELy3FZ>C8Km$s0O2+`}52oyuzg|XVOq0y@6F{toX>;IuFnWY2#hVDgpd-{6MyfLzQ
znKdWD^gOOLYV#mP^p$qrd0dxiZ2C-afc|`cUhAFtXK#DwwGWUJxW@f$91eGhq|D?k
zGDhu>e&?0D#WuVGte{ozZKu=i74)^8&DaZx3tAuehp*qBb_-fx1YtBwvEAB#d-k$>
zbavSB&#bn=EFa@IXSeH@wRDYGZS5Yn2BBc|8k9mBXpjmhp+PF7NAK{(kwwFB6uWCW
zIUSDT0zQ)#MO-GWig`?07IB!gRL66-#iW^N8U7Ux(2yBJ=Mx&zrD{1BoHL1*viVbM
z)QrY#<I+Wn@n@0Y`mKA~J3KzxMd!6g&F9TW=QXCyyZ=1v9+9GtFa4wa-b?>g_v6{&
zo9^-3vt6|F=n=nV_sBmx{H^=ZKRIz#e2RWlEAMv?{I{>qKECaBPd^?Wopn$B4y+4_
z29ME?=;uf7R=w`&Z{5?6r`><N?e@-;HcI_sJwrFQN$L>Y0_wVx46&|W#ABghh$;>z
zIGN=%IAqyyQStqGt$TX<@m;swJ>37O4~mOGNd>PI98jwmm|k2CijlAwm|4LS<9~^R
zC?78}d?r&L-yHVd_-CD$j&AHK<#_Y@heyBpuMhW2Ac`900Ht`pJ@S9^4`2K3*IftL
zf_mk^*_<ec?5b2D2S=}tj^7=9?4F(;pSlD=FPE(A;lV5o^V>z3*Ev2q>;CiX<Ka=S
z+ffu)X_a!kPfm}|jyuP%%V0X{lmk6`-6Mz`b?H=UpB}&J9ytIP)LRO83EqV@m+IhM
z*MC(FoYpD_-07a49Uf5A+Ii_8z393oi?dca;N#Q77l);D+NvQ1@N68WLo^N2#bi(@
z`d_=9Gv@%T8VhL9j(^nYzJBe5XI5BfejoT}{_EnI&59)z_VFA?2^`=Kvz$2Ri&&A9
z?$Q3?(Tid$A}W+4{pPUOJ3M;v@x(v%-*nHqE)C+SLtPXB6TB4ptH@DN4Xe`{iwe>p
zhZ6uHfx|-ld9B$Jj{qH`D|)H;Nt)!zAc+p+j3_${O~l>e^cS<`>aF7H65`9Vvy&c5
z@$a(`77euoA-z(Zr*b`60QY*s1(18}j&BJbo||<Clx~s$Wm=FmCIM6dA)NzX6H(u0
zIAw0n3iO<j$o4`kDYB#XaF7|^zWWX6tGY_nq&0`XCaU&uI=>HHGid+7D69L8)wH#V
zuqNsr!~Xs^VKxc!!FUDozCC@-PFC>K4Mb%JY+EZR2f9iKm%c)8--P0ZxveI-gEDKP
zc?YL?cmc6Gdtc8AbZ25ckg#C)?FbK1ALrK?Q}W|1&%O!09X?Yv%?l{AJl$y)oEio0
zfcHKg9vvKie0%yD2*_8IhuqC*vIXU4l8#z9-hSI_4U<9EdWZWh9um+m_+uxDb9}?@
zT6Qy;*0_g(rCq@ZKzx%6OWQyh#^}6;ekvT_w_vvs<Sf8z2Z5Gnw3GH?o%?Mp61FQa
z;2rL7<HLQKZbl(J&m(|-lbPj=v8(A_NR%}Zou<=HFkBC`0=2<F1T>{Y><Op7mGp-l
zeNl>o;Vqid?!E~h^mwA00XBiwM0xts{evJ6q7~>KLu<G(E@Wqpa-2@WI1uj|3D5-r
zPGiw;LTfcftfsU{khRizJvzlf^#`F`>@?e=<lc~4p`Pz4+flg!#hIfd_GHqXlk9zp
z-+;nKE~c8i4hpP^wj^Tf1n~ez(MqIcWJK3Nh6WrCKO9El*>6H%JvmiPUz-ZclUFQ;
z<dbPsr#rc`2KU)AdLgu+1zW8D#O{gao}Fg)zW<^(zWe0C5S)zs4X4C1t`^2M(400e
zMi}t}Pn>u9eg#%o(wP65(j%+Wd(YEk9u6H_(2Yx+l#PxmjHdJvVDF<=Mm4TKwQuau
z5hEN#pT7TcUX#$^#s{IX&uhSp`{1`c4y$*%{J<9->fP6#+U7c#+13!LJwpaOU7ESr
zTXdn(;};Z#{WM5#8`Ae|AVE!ZhxWwGF=)irj)N=<M=@NZ+o%TT*uz?)wOmtvdA;S-
zCTCIBN#dBkCaj$%S2$iyqrmh&d)*^t3=G(aKEV1WM!~tRRc#xJNU;e@-y>DvpmoTg
zJp^hmo)jo1$R;TM4hL83q4qTnt{wuV-*x?0OHx@7VNDdKVeabrdTDj})11QkCiK;}
zo>Y_89{rlg%JltVJP)F96=yx9ExE};;<(}0C#tdeq?)RZ!LNy|Z{w>txn9M-1u>e@
z#@6}CZ$MIQGfOo=)nQwdELxx7bZxfiri4~OMW8l=<yv2|;5aI&Fr2A$8yQC}6-seZ
z*aB5pRfXrscUpk#Iw}M!Z)dePYuK%;2ji}%LUN^8EHI8r8g;GNC#k8;LRQ~eE4P}N
zHO$sV;=<WpucJb6M$8rrS1lDvp{Hy?DymrstwP$1>lQ+k-cC6*QBQ^B-Y{YTa#piv
zO*!Z7Iu6chhOmfnY9(9Z%dxQQXcDN}4O{k<QfNgZN+=~W;Vhw(0!)xNmhxWAl;UNE
z54#S<(^#NA^I$}Kbzr6K9SgZ1c8hF8DI{YF{==@zI+WvLtTGZr9BRK5hI9Gs!)~#C
zD21jjOnlh2RQe)qbu`@Sx)hGJ4eG<Ld%l)JG4j$Mc3pO15eQP!>?u^*-Wj8R*e%qu
z%K%eIQ>;3d0Z1Y(6PVDPrGWJO^oL!CHLGqfiEP@*(zb@@{bARoP8Wip%wm_7Y@Ek;
z(&v_!^5Hau<G)ae-jlMWdD`d;5_#zu4rX735k7)%Q5fSRc++kJ4U%X!iTN+M6RQC!
zIe^JLV3ufCyzyqUSr;cel1Vqt(-3F;(Fo_tmGf}smf<KN0F+5Et=H-G&wGDE@9AaI
zP?O$-{b6fMJ=DraB%i?0<WDh1`A8Y8e5j3Di7{aK%<I?I2?XVb*hPCfZoz>F=NkQ#
zbAU>97KrRAch;aEez0qVvD@Nl;Spte2X17BDx8I8tM?{+^>TR3TE_TVg(a?CVEI(@
z76G-HYO~FD7fFih6w~)t_?F$d{sAQyJk^VtAgNT{vbrLTKNz>9-)W-Csb3VhL3xjJ
zGF|TUl5+Uy$bZw_Mdvj<YhL3%4u|3-lX1jpM-;Hu{2Gim{y#sq|8>^w?V?|Ho<Cmd
zFcH1Y^GDQ;K~UhT#Wc7j^z7f}7_Jl!P&>%*&woW2Dh*k}qDdM;V|MW)Y2ZU^--1D#
z$`<_c#j`PXLzh+YO)!~8(3ZsC39Vj#|Lk!C?L68cAHOuv&d$z<Emo)1BDw&b*Lp90
z%la>V**mY1l9oLe1vG)Xxir|%lR%a>Q#_mvaJ?Q31`T+@F{qtjFhD=;p&q3RQD>cT
z0Q05}bsFfrc3y-1=0uzr&Ck*x&MuO4LSJflfb+o^UO@X22XNOWdjm;=rcn^aaPdcz
zQYXB)-G*bZyw2?uTl^RUn9Ks4$v1^LxWQY&Io~WKq*t!!#wkWu_?BK+4wHx8w#^n=
zn?-D6P|p%}Ci;Tl#BTy>vQnLYU*s>sOPS|AukFG_KCfM2JlzhWaE|HR(5vS-&bR3`
z6{N{|?XS-Zs}TZHxaT!xD@f}yOJWZV#zC6ld~cRtZ2w}x7{bBTT_pd`Yj2XcfgV3Y
z{xn68A3c7A9{s%g_?O+Me?>3eoLLZX9*j%~?^@^Q=d~w~w*U3=x5x3@7jK{MJjTiX
z{P3qV`StO?evhB_d{V;#cC$TAu5pTo+x=TUr0&f$g(IJ`>RrK<Fge9}!{>!^RW6wd
zsX7&mMQVO<eU_&0AAQj6l(p0s3<mF6O`@3L>&^#zB@W5C84L!x>ZXQ)VN8|K9(vzw
zasd;@VT%LSTEH#bT5~?%*;pIsi&z|FILM~@<QBK!i}x%HlF2lIyN=lnhT-6f{Gz4u
z@_%a{vl_=z9fX4`2zAw3Fe?#yMgFOEl&kgJ6P}n{vs|CNlt>JXJ@kdl5h7VTM6dP9
zx5wn$fP8yGuR<Wr2nuzsI^IJY)_}gSN15slh=l^GfhD6hRW`G@q=?m1oW|xw809#v
zvyxYs-ql4aH^X=k&4xHr%G8!_-CyT|OQe=Iq(2)(KDW5YI2^$&!gyMrgi#b`c#y<H
zYb36_bIdz)GMuxZqh5zHanV%+X|VZJ(XpW~T9XEGoF>=)MJ^&44L{~t3p4|`#Lh7e
z))&2BLh+<b5>R@zZ*$xWKV!}<Jq)1_scl7jh85&ZyrLHEDCsl5l6<YdR|`KFli6(8
z%)-yujd_^$f(fQ+llm-;b{c4wMvqP0p?rrswx_S5>Q<9J_w1^V^{S7JsvJ)ac5jcj
zEAdokc^GBZ+Cq8O`hVHE{}%hd&9+P|p38RS<*J}s**XU6ixo7XyGoca?3UrCt58|R
z4!FdX;Hc-UwjXE>o6T0U>8SO^5ORq*ZIO+G6b~u3>gw1$NEwg(>9m*AO*6__f4xk|
zo&NZ}@$<a)_UQ2F@a)ikefV#Fp!5+vPHB{Qi^1cG7=F-mhXPX{F9(TZ^;iS61V;OZ
zJp<Ge3Q8}a=R@_@a7fg6RCH2Q-HA*p(>sV<Yn7U-1M7zwgRFPe)Hq<SIYQ_34Tx3|
z%|Pp=%q61wojK1sDn!CQ1}3lq+$2K_5M!qU#6?4_OA4mW;!Y#(wH9FstY#ALhZ$?G
zy~_lu3`H4#&fYpX4m0hlLdT`$RMX0}<A7bl8fMKH-{kxzH%&1#%PtC0`$Np@W#F4^
zdEdF$Zvjec62SkM{%2hn748agDZqhW{^VBX^-tnjV%N!pgkEXM&n2+Y@+$%jE6wrH
zuM2b_Enf*L#6fpCmKuQpr0H1uFT!D!?#^rGRnGEOEJt6;S9uS<W2lRgW1!uNY__Nt
z7Mg=o?#gx#vxF6D#<HLz!C;p0<1cmn;}0aC%#(149-+VUFT46x+p7t~eL7rlO!bce
z-$J7DO6`->aCZ1HxZm*p6td3#**e^1nHuP0zkxmu6sWBh^5OC-V(!F6yy6XA@Y=2n
zWqC5q_<eaS22PV}(k9H&jC4$hlZM*63MungE0tx+Bb#md^?Hl*S|Gom{Z*Y8Pepow
z_E7y}U&tNx1q?*`MTqp9;wDzL{-CJ-pg9Pls7@GTrRtq0*ai{gJlJLLe5Ym~UnD73
zt|w>NQH>I1ZViBS=*vRM;mR>eM)mWWbTHtRzeGgTt@aiw%QB@8ObN=FQX(Brrj#&|
zG9}>g`9hRLLVSekSX>I^3^rG2G8_+`en)m4f{~L1wG<t^xxUC9+I8uvl`a{Ue^Oi=
z&K9!C_XQcijTh?3KNi%-$_slWRf-WpF2CITGtA85VkPeTHQ$#f@icX~`loug#cqiD
z$8Hw4mOOPRWqsZi7Zuqq^^YgR3ap{}SJG4YBvSv1#9<9AQzM~je(CzI$8Z-Lxf4y_
zHO#CUCs!GC5lBH+W6#XxRZv`!C20RQq=$&s;%2F=S(l(YED;|&z8PRV#6$G`mx?a$
z==!A<v+%zHiBYYw&Fc~^K25URc$u54Yy15x)ml_bEtF|e<852&-N42hT9nNp7Of#C
zz>ZOeahTJ&KSZ}UH!S^v_{;Re*F&DZ@mcx_t6{GC2wx9(X`f*md<EVtr?qDElmJ0u
z3fEto?j9-&7SzlPJAk6;f)!nW2<LGBdOVxDRXV9a`b*u#+`u!`UW>P|R@!;ds~Te{
z&m2JpEv>t>!Qw`Fbz|&MbY;eO0i$a`G|eU_?!FZ$68e4}!YYzp7z4}K-WoB4n2^`X
z>$MxGKg(T}SdgS{aj@ryNg^S;h4d)(ZtvldDCt?tkF+`FqV38ivc!WmCSuWCfhoP^
z7F>8A17G;06)U*F6@;}4`vAoA(<;)*TU-Yjedpx>hjV)E|My>*`n{WEpKSST@Z*7I
z30z5_@VeN@RFCPrHVJ9=r@;7C8@mM-8Ws^_6^z?OFA>N)C1@_c%tbCOSu40zXI`pS
zTi0_EW~p9QJRh@EAI?)V6({McI#}R*UCG(4D(Dp_y1tluvKC!J)|V>Z;XdtXsin$`
zFdpG_nuamF9pn86DY)d{ILK_;)Ls7BcNVxNp5yekURR!h>a;4pfApc5jf2Nee+E6N
z6tTxf3X1J%!TDfJHyXZ8qXxtw<?El|63WpW#utfE3eYHTEvJxeB@425xPMCT<2k`8
zs4I9g0$pt6%cN6L1jkMDAdEBf?VU=UUG(18n(%gpQ+|U|qr5^pN(NUD#TXSoG#q+~
z{28Pu8gUY{ZKbEoRw%9-<wSi*UnlP}j1)%3Zgph+=%kWkXpV5+Q>t>nO?Lm$;jn?e
zpftGN@1D}Pn%coKPeZC*7NjE)59!Wp{0awWh=iQP(mGIzi8wp#IdaW7`Z6*Dwpybs
zy#mk*CTM9kMVE4XU8FsoehL5MCqCGHRGb|JEecX8{S*gR)!_q@jN&(&6f(*hT#*^9
ze=58<1znHBNL*e<ypiv}a7AM;ar3{$DN;N<d6~$H1Jo?AbBMf)Z#PJKhsTNo6z1PK
zI0E_`42&mO790@wb>GSiiZTwaSVSu2UKp!+7o~_OkOEs~=?;gYwv2+|8yA=iqP}No
zM9dxM$OjTxyg#q?h5h=VdD8N0;f9}7uE9{t;&cr>S5tl(V$a$apPGjkobCI`@Ro$=
zY-<3k``$cw@L}=rTWnIc4=TVL%m0q*bdUl;QdHk^guJ^})g0gC^(`xcT1FVqq5@$B
z@C7nam2+ih6_cw5O7SpESujgqNyh)5;hVex$7EoiE<K>ghwbEC%HP-Tatd^V?C`vj
zE5}0xJ-d+MTT}o8unS>C_G2<c2V0Wit>ZBhN~6To6A;BGS5AIg3d|AFIGqLkdNv8h
zdNn8i<18yQ4ycIu{I8S={I8H1dW8a}@V^4)@IN<`_+J6D_@A3;{O`{3ylUBqFj#V+
zWD}CCR1Q!ib;v|=tL%#~4x-3X+YeRW$c2fbq>UM5TS*)CqP(iiz$6*sh+n|5@bw>6
ziH6EcL5ePesRCSfMNIJ(A5~DxFa9XG(5MP<#WhD?(E1M>SR2J<28X}Cwq@2)+gsTi
zM|-o5J|=$FwE-un8un42hIXiB*(8&3kVt(GW_^Tnf0mCs;~<J~Ji_2~O_L0so{@+O
zo^YK8Hx?hpIZo*<^a8((nH8AgXU1Bfwb~Kk99<hEQHo-N+N{X%BEjrA@NZ^$kmlLD
zFdx_XD=fhOGSrjYnc$p!^-ucSo8W-EqdWBd7spfU?duxWCV@AJve_5<{)_pj99iu=
z)k5-8hPY#b*9&?#C4_k}=3LU6o1(+onDbX_L%qsa-5fB>L_}gjY?{04khQ1BS7z8Q
z607}kZ_jzHVfJSuWW`2ep+6Ylx{-7=Y1O2Gl#^W!GtK6Aq3<RS>K3>)=d}(Co6gvI
zZC4QF@_kI_cB|nK9qrtsOV>0M=T<dK^-oprwnE$JMfa?57OUudSd`^1H31BPEgu%A
zbI4pR!e&btVNa(k4oW7IARYo6w6{1rSP-P6*#yUVG5gPJaS{)Jts)>LUT_m07m5Ub
zmDMh)^OKXJ`HZLuc7(D5z%~i$01AuM1rQ_JTRc>!iD(j%i+d*M!uNup%XV#3(C#52
zi0ug&Q_Rt7bD_u{1HBE`ufCcvEAm5+7hS=7v#4ucD9)#A&|bD5;*ie?&c_J|`pI$c
z%qidxN4p^wKJJ>^I)P>;yBFa9+I1lzqT5ASNqDHV1cL#d=JLH46c1f??0cvX+&w`E
z%rE3?y51OX(5N&I(QG#1k^)Uc8?F^R1Z*d~ax#_{GpQ-5kzAD&%7jNrC7REutZ;^J
z+$)W=5=~|n7SGbiS^B{eN#!@sLot`F@T8o6`pu9K;tE+uBbJv1_HKLwTL8T4zEQ1s
zAdb`rafD6VYp8hJPlSUo3v4G*4fKDr693IgII|KB^u^e}tfc|IQl{c-<R>8EOzh7|
zil;$}d*LW1GlfT*2V{DNpS9=r%TKH?9pOZK)6u=vA+z7s^XjC8P1{W)Z}-Tsw+og?
zQ!FJuf3kFiE|T|7RuDR@o}^I1q@_ImRRY-&&bO8RR*q$J;lmSEQ|7$c@vBp?$^zMM
z7t@hh;b2d}Q3UgxR&h(W^ox`B-?>^U&nkO9uf1U#i8D%Jq%pmqf4<nPzU=u9?YRWh
z65?z&B?bu(2}^@~mSR5|C25$CCz%_>`}3M;w4L!*+d(u+vh&&pdiQO>f%GulK55GL
zAibUD$u3eWzCW+g#{lfS_Q4RBagdFz7UW?;{b?{9hVjU1!k#-?-EG;^d`d-rKN-O6
zI^`?y)f2rWw09`z|Je9m6U;`r#91n00iChQJb=rOSTGqtjf>k!5ed<TTfB;)9$9DB
z8V-X38%GU&=&l9HyrRSHmcFV8^pLKXR<ZDFx9%xk)xHbewsGrTXp0vy>BD5OO_U&+
zx=vxD>1tA?IGH1rXekh(NH^*?P)NiTfVh#Tz*Q|$t&SE@9BXtoELmC5)hKFL<!IRL
z#FNTCbtglLd8L0LYJzuRp-?dq3AGgv;tZE{&q+hpDw&kO;WWIsU21BU*ke~<{hw=)
z3o$F6`US`ecDV3)V7A;DRWD`CrSukM^&3S3x^#-SclhGyK56~}JpP;T|GEi(5S-N$
z{U8N@<^(?x!?h>&H<5H+?B3j!H_VmieMdN_UZ^~zNX?ym+vy&|u*qJ);m*XG`*{|3
zyqS4j(d$;KqCHfnVEARDdLDItUNfZY@5rn_>r-o0-!ZE08db{@ijLsKJ?G^6whN@b
zQ9eh{{Ij<`hpt{!XTX!D%4+f5VUUDo0YcnIw@|#-rCo|NfROFAtAYDom8~v5iizB!
zRLWZV-XYlvoMx*w4dG-hF>1T2D1!Rt4aM$r`>xwt_?c0DQwoKzTcaSut~F!h$QOTe
zg}OVILv?PW<AwGv6<#7%rT7DPu!a8kLuX@izkA@neSJn>V|I9S);-nVP$(g~e8pmT
z;{A31c-!rrxvol9iAC(Ln@F%kr;gu|%2SJ7k;Q)skwAgC$)s2`rM3ISA#I{)lC7c_
zMfHQh)hJD7@sKN%4~<$JOmJ4)eP7GRVODF@Kvi{;A+9xQ6jM@bLZM`}-J0ilUElW`
z9pCRX-unLA#v9*%)9Ctsw{h(I$MDVT`kkk3`tZ>A4`~TheC7MEXger?X8`Mk@4pa@
zqkXe@*7p4w0|^iQ;rsuf-(=tLlY9^upZ6(DfFZGf55VG`@4pj0KI<rT0FLaNL!7oH
zMDqKLHh~W)ARnY)NE-`!h+Zz+v}+FW$m|rrXq{fRO;SK@(Vy~6H0cOTUYaBV(#zok
z1b7DDpbB(nR1stJ2_lCSpw52J_upN<B%S&u=M9=0;~Dt=z!(LsEUWZ<zb9FBpg<Vy
z`~HY=`gY&<Z}$Zm<}a0cVaNAFM&Iib-@iVQ^?HD`^5OGu3ILEdXdd`}00pE<-Z2`}
z+VCOBM+$b@6a;(-Id4-UYBMKpH~!`O|B{0inBJ6?klx7Ge^QX}!9nJ00SQb|M0pJ$
zHEK-n3z8IjFfjqHHo?>OCVJcyT|mY-$j@s5sZnFT7LZVpgDh>hFi35tr)vQzH58q3
zYXG?cA=&^fH-P1OK^pTF`#x5Mer*B)C0X0|GsP)^vd$(3xI}liZQs9b%kg!pz%Ifh
zFsK~lP9>&`fZTvJ*#O85sJQhoXbFi}2lJNbZXMHW1B_i_1YfT^LtSZ{y4jq2u>oH|
z)3i_40y1p-ekdo(v$X&nwS9jifj(Ue&<zYeY5RU6@f@$FCB6nluiCzUC4oL)3($2;
z!NO^#0iSMUnth{*y#aHzUMvl|h}s^FQlZBU1V8H?#O5aG2Jl=jH5Zvl1zJW6nx<_!
zC+zNaDoZA9-=8q6N=64rcEG5Sul<FHsy)mr`&<kgZsX@}Y<k}&nXq163eYx?UD|+8
zvW_qvN-F)hO%VkucBS1|1IP^s*akp;J=QHUDId3e|FP6)^R?*uM{VDKB!TAl1=?G{
zv~GY?8*n)`pb9pC<pw~mmpz6+Xj5v;1Y#rM(7Iit-U3dCVus1%)_n)E2=UgdosAwf
z;Q61*HP%$mdNM%kB{hItZ_wUbAo08b2Vn!;+W^RQD})W;xybC(6wi7b=?#GVdal!^
zCi^;wvcw3!a(7>kKZZ<eZq<BqGQHl3xhatAmD}C|&iA@q6ac!Bl<r1=Zo~*|AXNBM
zu&K9zOAK(jYxS8nLYuEY6P=Ej_Asr?`#DQw)(=2x?s~iykeXxpY%L(ykqX`Dz!#C1
z_4c>{QZM2K{8t1Yz6kafNDOR5O>V#k+DP`tIX&+O^4<DVZR?Hx0ptdfGf=U+RujGf
z_N?2v*%Z$=0CF9{oB{IxY?f#P?Abtg@MoDn>t#@Hfp}xR`meV@LRH&Vv*ON1gKXN!
z?wt?mEs#~bZu|bV<o@)&adB^f0BF6!u>tOH3QLUx>oKSsaiTUb^!0+2QYH_I`F`ir
zlP8vpLs{?>zJa3e@FQu;DZUOrSq3t+uXxz<1R2!%dEfVc-j^^){rLf)LcX4O#__B2
z4_`l_C68Ol$Ur*{_k^7ll;aRugW?E>y7Y;+ugsE;IFF_efK5(GDEKK4)QO7p_!>d^
zjG_$a$g_Le$;V3zto&v)(df@Nau(Kx@fyf>>?4N)?eRX9AK&l%lcFvC9Z3xrN&<p4
z@I^UZ$YM!iK!NAcBgSHhoIHC7Kj8za7zL8T@?a{*KR?g~>2wk4-0(*sWq|p{c~D?E
zjGAw}i}n>lNwz^_UT4}-BoJJ(j(#>%n<_140A1&13ma=<@{|giqB#IXsKb0McnaOf
z9*hZMwUK=1sHQJXROL4b-0|Vj^T7g3PqCTRz)0;KbD>9+{8p@y;e+khHcsctZ<2{}
zZU{{W>^xXRuGaHWD4mQaQa%sGA!1EFr>cAco!B~r<U2HyXOe~f+gGGkQU;npZ7CpH
z$o8DE%VoFVL)kEI!jP4ql+}a>g*AmlDo6@jZz5hGi>*VaYF_)$l}P8I4E?!#=*G;D
z?W7(Qev3!-ptP0}VPny&)iDH|x){Rhw7ECwa+}~oms6=2JnCdHvT?Kcxy_$&EpyW@
zV1iDRHVwGsh&4WsI~-3*90N~-1ApE3{lD%jL-?iR`@a<4wDA1bB?zIl%sYy@U@$Cp
zNP91u?c0^5`V-xF)caEhuer!Oly2nf1vOSK8>GdUPuX<^%MNtP+Sy3lv}M<xlKftv
z2V15t_tnvQ)J;`*<IzY~gy%&P_0-I!>&5+I8@6FTX#vj=FqNi4emmw~pGQSVS{g(7
zi6$PsOv8u;L{zG9Q?o_SRG-K-=M1f6m^6*lJC+-6dr<!@_8|Zu$dh3SWKS-|EBk=9
zT5qlHB8*z&$5QN;u@(GuJ>wz}ca@MpMuL(GMN^P8zUe59MF*Y|7)tC!s#F(~OI1vy
z@s@m(ADZ@y-H};of6~x;R4GdHXY?YBUt7^wMy#Y!;*uSo@%>Jpq9b8TB;?SbG4CZ-
z^`fR!TJ2)6E@l~s`F<zunC;|PWV9zItrR(F=V=qyw6P)F?9;|f-%2E9tZk?z1Eism
z4ZY6^^SMj)w=ut=j?10m=zZQ-2FP%fLj**buOWM145Pez&oSFBMWhVUgVeo^yzI;+
zp1K#wq`uJH8<Jt@g;ye_0N={#y#PxzzU&-&y27K4U8IyAw2LQ;G3%ylj@^Z;R3;qF
ze1DzDN%$Ia^RDR(nPib{m1rA*MOUUInWRXIeJC?VtV|{Yq0A@#vL<GLDp&4#TXot?
zEkw=(C<61cZNt=Y_vp&D5&)QhZ9jPK>OzJByxOHxm9q|AO4c=>?B2(!{nAQ4w^y)G
zhWv1vXrY??aN4TH@Qyl*d)#*G*lq5l5${OH-bDl{wk{%Q0?dbQ_>rZ8?-0aiZhxT^
z5s$_?OLebxIxqHH$<N=sLU*rQ<o!vd{7&3U=W^C;%|9-2_T}L9SctXTTx3%i$^fCH
za(%_z)w#8fVR*e#acgXBsrNL>A;UM<Du5(|0Z=DR*SV@uikwHaqRiMVkCKMN^L-}{
zQa}rE_-s)`Hd&(k9jkl8kAVV%!$8TT<NJwIq3<hlpe9XShML>5*1j?|q`zuAs83be
zi$Qrb6C#!f7m?kiJ`6#ZGZ6$`hMKOZSXge-_Oh!aI@zv0n}$0byH-c4em4Y3JBbRX
z?-Qnm)%pNM7wml{Y5*XN%R=h*%hGV{eoCoLrE-OGsj&E1;sXv(6(`LEJ>91sukUv*
zDDeSBYv8>8XEhpgh`vXyzF61s;I30wen?VTOfm?`n2#cgDFm5@2ApK4E|E}JDmt8Y
z6)a>t!%5Fq$z>OEgi;CUJ}IMz%W^^!)suq<GDv_ABLLFjc9of-6T}G%8ml22JTUgH
zKJ8YyV_iNB=e(3dbFMjg)E*j(UWdA;Br0|kag)noHifw~b%h7WLEKobzdlC^<~wb(
zScYrxA-!4ISk5H*Q@42p=+1#QTXi*~dj&TgGgh^m{?hjSU!)%T?4FofF87H5W9kNv
zS_(VU>va9)Dr`qrBpSz_s-%?sm9=j>zJIIw1X@2&yGB1AMA_O(<iCr>4!C1%&EesN
zy0&CbrFp@+tlG+{F;xH5z{d9F^LAmzTL>fb0i^wAS4Ie8dDJ+8tZ{UQ(i~EXNsT9@
z*rPFuwDFaT@@g*2q;mP9yqps3Vr8LSUMN#vm?cIVCkG_27TX8FIU?7{rNbnruoOsT
zR**Jn*BtH}J)V;-9rIX6<w-{(K-nVY!hq0`I(C6gR+f5|=ox;zT%wU?nhQfqO<YS2
zTxvi)#s4$tD#!l-*Sen_I(_`L5B&kIbw70vU1}$z&tu=Y);-==hAv}Erk$Xr#7Bst
zN0YE(&U?!Cc0Mhlc7^X}0JrCSi{;;>;gSFg0?(EUPRR-we25h=kM7u(gydtrG_M<0
zdQsBi9?dI4RaImPD}QE{Wtu^i9|z&}UGURxiQ27D$o%)e70o0k5AR|4pzzZit5b!8
zAR(NC&)Z6f%TZC4wASC$JV&aQ7^Km{hW>+t=pv6J@bTypezBAbq{NEIa|>}Tx{Ws6
z&^0i4Cc`KhC%|lmZ?^iGc9q!2_d7=(r~+v(0ID<tazb=`duyRo&r<8U3g8=H#K%29
zP=wboIFI*z|FN+jIzA8z`?cvJLvy1?!`QvC9OJwrV^d1wLNFTfpS6Vuy;LB2-A<l$
z4h$e3=w7HLZ44(tY`wWe;tTyUho1ww>6rD6$Whq~=uyLF)K>t~7VNZ!=wS^lWD*YQ
zvuizg{i#)7Ri~!m^=OX9XrX{~29MM3{aeUyP+ttnqkEN%+Hw*?ZDmLv^{wtnqssbF
z*411a`c0~pj<5MoK4?H<j9Fmr`JIcj4Y09`5KQ)^jsU3K^_j8~<!(WE;L$tbq3o}1
z-~Ve{!RCb;VDGS6qmJ*7I%X~Ssnw4el^839a?xu&Q^)LeJ4bAWYSHRY;i48N=50m6
zNEe0;Qevk(@aPT%qXoMqU$#&l0Ew&?)qOZo`?>A=Kda4@2S5+2BgPfkLU}-1Jh56_
zb$tJ-qqI;ScvQ6;Eq-eI{!eNj$^+8k(rTf4-!82%U)S&zP2f}wtu+jv<)38><pGe`
zYQZLfY@s~xs5QKIi)zL@NnG7*c~M?|x~yqlF2H>#>xvi#RBKN}i3O@PqMLIu_29g2
z=SlmFs?y)vzW;k$fhCY*`plK5HxK1?6!%_Ml^D=$r{TK6H=!KqGufGV<|$b?M`LJX
zi-JejfuxH@bS<+Z410UX)3PB;GvHA#;F}HESBA`9v&UQI1w&>YfIZ~AWXMd9@F72c
zAVW6h-c7-fSrXYE^1Niozwi70?=p#cdGIiXY#5u*1w&@SU=R68$&i2U`2Nqzs%Q6M
z4B1e8&&(mSY!P$+q3c=K_h-s!0T$7*D8#19O$k+)Ljd26Bjou55embY>=+a}VM4*C
zi#_~jCBrwC!p9FpC=4H>wN7pK%f9dbBB%b&1L5+5+HNJAcD3*OS8~YD9|)Hhv}r8r
zw1>R&=hJpZSnzb6HjTj+Lw+D;d_kMG(p;W&e19Uj+<G8GuA0ki&!vPS^BN+B>d`fH
zs3S+ArZQx5MjPN0`J&yyYK9S@!#Hh};(e0>qKT(0F34i7^<~H2fniLEn|<Ykn|jP#
z4p$P-c*eVV(zUyh7{LdOObzxm8nzZhLI|E?T&@oFw7BSQyrJ%7npW%XQths%uMvFf
zsbf1kMk}#msOLtXS;xLik$mG@uS1tqRlWgifS^c&v2j9vgZ{cA2UreTqh{PyXs_vq
zr){h`z4pX?TA~xpx2!x6ow%S&$EKt`<mZ1r%V*^0F1u^=Z_L-9K9C_-MRWHt_77CB
ztBn19Tsreovj;Nd1zkE&n)ZOle?A@?i;r_-z=5yjSYOE95CX14VgN%r6FenMzh7-O
z0iiaHuK?k$ySBO$k_xCtb+fZJV-D1&J|$CY&e}}jE85Cavh-$c77Idc>f3lqZrZHP
z6h73Z>eEvev&`DeX@=UAMIN=kYoN(;+)-&lWeS9_025|Epf<(IqtSaM=Os<@g4)aB
zy&QLzqhO&_b<|nT);=6(+&sFc0${s*JSZ?i8d!0Bol|h9L6pT~+qP}nwrxBABoj?+
z+qP{@Y+Dl>6C0b|t$o<qs(t;cAHM3Y>biaIx#yR{z~Tey?+@;CN)ttIg5RWm;zy$+
z`WC1%I%au}VTn(+Sr48QQJ@m9vMqfWW7!z;wMVV_g&#FN38IVG>ejD#w>Q7py2n`%
zA;}5R?<j&DS6dH@e<?hcA9En(W15AvoP#TbJo6KX>*gCyP#rW0Vw7D_vnQ&ur9PqN
zxH@(YOq$=z@-FXi2KIQ`3uo<7OpZK=j9wJm3^t=A!;zXef;(zsDveIfH@7zIt1Z4E
z%AM=5w~>Ozp*xb-EN=(Ys&UeI<@uZP{B1%W62H%?Ep&_KGxmy*unHQUS&`qIFl_%8
zDj-Jf^{F$*P_vsm2H)--GVbaj->Y(;LcEX?Ed{TpA8(vz++JH7Vh^Pp4vTl?GKVm{
z?tR%*=Qb!|pgl(hObJf2oRoYDi@A<p!<Q<^>rQmW`0sV-yabGSfra<pCN@HhmGfw}
z??M@x8y#?(K_xTuVR}ii&8M~Q)}esRxUFd@57sp`G*>w(hpQ)>Z37227sq1Ef}Bls
z^fI<lG1r5zr%P5jH+^v*<0dxi3|RndG_kGHISSfOmP*ToZkst57E{W`OAK=5sidC$
zRlX#Nigx41Kq*ZztC+CjtmlIX@VcPiuflvNRE-|^ksCv<&RMlrw$Nf=zrXJ459NkN
z@gvT^H&q*#M(ipz3Rc8a;v5E4O(!r9SzX;QDz3w<uIIO!m<dE#H&OSScvvcwcC`yu
z7AVHwh=fe76G9$5opgfIhiCOEGIUG;Ve=qj%CaMZ4T)2CS!{5jelUXK6=h<K3{2lN
zT*fw5vWn|47a*kixR_YV=krC(Ax6>L)eu-QHk{{Qv{b;AlZUPWx4&0b$T9?vZzFER
z_=o3Hx6%ZH#ngEh@wLyKsHHRO{aTH12S#ZH+;GK}H&sc1xMhD`M2Sn}ueWG84-7YV
zzTKd28|Rg7pYas91F!*}ALL;+cGs0B?|k9Khn@b#j33EJW_2!f=LQnMA41wZu3SX9
zt-m!CTne1|uT&H&M8(QhVDrqLMPScYD@4HEOnH5_uHV0|dJ9F}_~dM@7oU#njo_z-
zQ#2)R3?mJRfgnxf(&gm%yu`|yan%#K%A0k&7bx63S6hDRa9_%fUNzL=NrSBB^SW?!
zt|6lDmEF0hDR$8eK4CUjNvlJM(4QgW%tr4v-;_}#&I@xhuB??v)SWQGj6k&%Pijl~
zMlkqDjn?2%THCX+@Kq5F4kq~wu250d@-Ny*3$DNH>QAi`Lu2bpK}g*u52emdM9{;>
zzy)6qvdCk{)g;-^&CKm&S`ICGjv&E`JMe3P`g@BqQ-rZ0F3?nY=-85=5!PG|O8M+&
zDP_n`q!pGQ?e1oI)d#OC(w|&@<Jp><3k=}P{*B5wB?&1QxQ=O=`nZqH^N>Gdb~;)Z
z{B(m%>Z$c{#sKIyGfTIv0}b6oi>0X;da}t6v^sYLw~=mhx1<U?mfQSUB{u+on6uQ8
z13UYazVoTm-YVBCVaRcg$(<SS6v786e5r^o-=w0gFxBau`?06(x->RBl<J#j+`DGg
zD0{I{ndR#vBRGCn7qw|RUnk3F$97ilDGRFj@{X?N_rbZ?y|oPi@1e+VJYpi^@pb+w
zimcSzPe?RM`n9!O8fHhP?Qq$i?(vE$O&9b%f#HRV;FG4vZs%Y?Q#F6Kx}VW-Au>p{
z;Fx(FXZoxg5Q7I!nbE+l{6sQt6o1=!@xEGXH<6Tvjt^@;Lotwu|NZyzb4MS4N6oGJ
zC^V08+j;Hrb8h)|={)^?X5`2m7BDcw#Vzq{g1qyQ(?h+c>hoX@zxHcqigB&7dYL0g
zscVMSjkoOajbvJ4*lQmYXrh8NFGUfbn;>>zu{Je?nu*F;a#2aim^$bVU>Mi0H&Hm1
zUyR@5o4<oVT~XdUa|GX&GLSxuo1a76W+U`^`sbMtpG#_i2M{X~i7NSRt!t_r&_(8W
z7i7Ru1~6|XRS&Pc=2hAA#ShlYO_F^qV`S&K%Xrj=%E!xK7$(r)b#s<gu=Dkd9=~iu
z<$ZanxOf+==;|P+<jLfNS(~q$K<9d5>u!h@!`cb{TwwQsF1!ro$4#+>obkz>uc9Tr
zP8@00g&RD2>i{cn`KNXNS=P*+yL#1(@HlASy%AVN;a|kCL%>cED$d$!DbTX-jTr%V
z1lKOrz(#{hH~_@c77G27H-nsVm0!5VUN9Ne`cDM6vy-l<W|?0-f^v|T8BMWc5H?<k
z^Q#|JnvR<cxy>68L^&tA`9_|G^fm0BB5j=J{Z)!T$jDp*!GnSsduG+9*1WtOv!K7P
z_PaFqB!0m(T9Jm*G)-<)bI@yed0xAibjM^e=jXrlb6Z1!?J)74oAV72^hKyp1mYZ=
zTNZ#Ddwq^OkKzW~=Z(iCCSrL5Y#16rLY<ho7mC?18dCOHcur515f_d?oEIAw-Ak({
zPpye6M(l2G+YjF3GVapGsk3G{8QJ}+UC0!9hs$k<r_IZN)GrP*UH-P9EtlDfsW;!3
z8(vE+8_=jR&@qU*bz-RTccu)-WGyvlk3O@yzTwfu_>1~^I?*?%bxo+<l#i17YMmO;
z5G?0UWK`gNI#=S6#?Zh%EJf3x@V^tt%xdj~f>cn#)+9l^HC0-dq%l0k3@y87=T^nQ
zACZPpy7BR`K2eQZD0u?!%!^C91<1<u(ydP2P1pG>dMMLFA~s|8VWZrwH_Tn6B6I(G
zBq9APIq8B>!ZeAPL6lZ<mw^Y0B>US+;LnRt03zYmNg^_4pM4{FF2FoDhks9Z!9(xg
z1YPxDi3d&Y&EJDWp3%Ejcg;BxamDzF#YUD;3+2DSL_*WgS43jJ7ty|Bl|C}hy#8{a
zCiB`a?|T8-niCtBbl2SwhS~4W(P^XAL)^F;bR;xP8ZP$=ZUnkCPC*~$+~M?fywM(R
z!j*+9ndJZZZEGJ%l_mh4tOJ+wDDoIq`cU1~Y2lb(fTw{6ycblg0p$M)!x2?sIWM0)
znV1vkz1oQBo(Et^Gj1O<8FMzbdA)!LSm5vEH9(v9!U$2`HDNNKieHpNC$R*VE<;sR
z_@GzE%yokms8HBa-FkPE%P_RuE^Tbqmb1r1=&<%`I#o>gN5HY}mPK~tXm^+?WM_-d
zCB_;W%qllp&mI|YnYc*65T!>ZHt&phYdSnUIBJd*+6*LBHJ<D@tdUjWMNd9gxmHxp
zC{fVi2XshUK=1i^Y2m?jmCqDn)V!6**k<_C7Cl-**0jJR9Kin#b|=_Iotb!e{MUM=
zjEj)CTOlbbun0$^eiTm*_gX#aixqdgfK9Yo&{gZW{chAd@#w@(r~<-7k^}EC?zx1*
zNn=%Q+meQAxr~8+9&fpQbeJ4ct@EgrqB>s5!rimQxCkBUm~qaKPC+`mnYD-+xmlrv
z%#_TAs^!f_Qob+KlGyR{ig*-(u(y;Zzh900_r2_oOkMg16jLmY#VEH|`A3_QNt%jw
zE<CZ{bP(pXukifqOct<)>cEm`t!u)U8Lx@K$d@Utz7#Eqzc9e#ZdiBN7=D`?QLdkj
z@=G1C(MStQ9Q379d$c~Gxzag#ufR?Cp&|f<hBm61G?k@rE5+6FRl_B|K<Kx@kY1Td
zAkEwP%y;~^DH(+Qx%|BJsOQA3bEHyG`#9ov?UUFtUWR%(^ZP<ZPl4Ogk}kFg?=lqs
z`O8;Pti&cr@IFd#vF+t<e(XY!YfQm_O0BbP-;lKGbyb`GffRetxi0Y}+}@TkR0|A4
zn7mF!4o%v0YkERXiBe}uka~$UXuNx0BVnNoO0q4C$6w}<85jmLQuq%aLu4_m5Hzor
zl2#fF-9-fu4aVe?9KLnV68%Oo19>1bPJ<tM#vtz_4;nh>BZjM}4zI}_%uEkkbR<g~
zJ45S_=BljB+wm+WAB>CM(&U+ToY+Y9+QuSd-q6N3MeRm7ZA(tj_--{8@VWvUS8Jsv
z-*A*Y;j+1;vrzHT^P>l23O$`R<PEf*)81`$A1aOLPjV|)4oLPtT}@sGeogvDFQ`x)
zOGiW~I}E#~r&rjREcpV=lgRalhi;%rSU<rbBp6uBr_u_4Q|(ku>quF9wC(yxbv<*c
z!TBGkB$2y{UND=`h)su=kV{P26bC5EMyGG6m>O0U^STP>RJ4kaQUIx@Vl^zai>>(m
z?6o33c;w27Ru6o+nQRorgrW?5kTcWWI4B349M#gy)cU@1lTFynwNtBHXIc~CQNhs5
z>d|EwjCO~f9$O9}9Rb$8lzXq5*MOE;=hnAiR(|~3jt1K+3N%a-A|eC-?IpRaqEH><
z+WA>*r>bW1TwbC8j9j^Ic^QTpWd4?CyE4Adi`G)moDN7KiX*-<c?eNywj{rmQAm|^
zK+#u+>Q?aT-aFD{hw~XmNiHAz-p3Uhd+)E?4zWNQi@;>JaaZ`2W>r4(;-6TBsc95d
z3GC6HGPrKT#-2aqs@I4wRokE6KY_#l9Z<Z>2b5u=1qAeh5Ay#66vO<iH+6IXm^%O%
zY+NsWZC!CW8&5sHVbVP&3%b!VvOis94Xz0?OHu6~Xq00Wx7B1oEHlXpiT?m$DM#0Q
z|Aw9IpE8m<@6XPz8APN>00nU3#QZJ@uvT=<lp3J2A<Sp2LwcjY^bbBHOW5i5euOE=
zAEq-!&32nZqfESQIrB%#C~VbZ43JlbQ56AxeD_^)`P4a`#(mF^!mPLmxpcf*fuV3>
z41gIp-AgpTpdN43fc)Ijsb`zbf0PZl%ej8{CqhLc34JF&P|06~aaDjnZB{300@{Eu
z!;ZCe4dd3SM|=Ea90L{*F(kNjMErM7gt+AxD!vVENehhkh~8ZrV(i>2a=Q0t-hRVy
zS~>>sFnhCy+=vfmwkW0gd5^4voY|-jiSBAK8r9ofIg?V>0CIVu2@rTiM_JDa=-!oM
zS>E&6XvIfh^V&2!%f-xAz(PlX_iN`9#Mh6Lv?Q!mlsvfIeV>1Ha&o!*&Gd2mcKPw<
z!q&?rh#R*hx+Gas#hnih6=3O)Hma1!3{0K*C)rsD%Na>l0z4lbBU}{Z5MjaLLLa(G
z;;i2fOJ6TGG^py}zUg8%XtL>`=^uKfY&>^a@C=d!W;T5|3T40{-dy4!8dn%v%?*xp
zDA=4DsiB1}+mT%WlX!G4j*RzL-+T|4f^#Sf37OI^elWZg_};>zLL;0!kh4}juN1u4
zwheTI&=oUKrfdhAWRC%iM|=bM&2`}C&l(TxyhoMP@V^zW1)Nfgq7vf&Smh)f&?Elt
z?zfM+(u|W3-Q+(aJbIn7j!u@~bc*ndH|Y+QO3_feMj;|cGMS(up!<uKpmd8N2QcX%
zO|&0*)rGC8B!a)<UqGmi%u5a!Ph59d$ytF|b(2xwfETsZOHhLbP$gMqTCU^JGh^mU
zQU4*2mdRJ4>U0XwhNoN<Q-sDuq254B*nvvkr3-2fVv<jo!-`n)VK7o@2aR<iajmXb
z@mHI^0`sw)2F^COGe7#nJjh1MHhzb;076#akR1+kEW`CP_m42=tDZQ9K04Vy+#uw8
zh@SKM6(_X#;B|WWVFL)hNz4u$qE6Lv)rCq$qJ!^`WSJynwa?!mWUvdnt`m_59w!Qp
zBF{V|lZBt8u%(~ma%N#Nw^=&Zos4Y^(GZ&<9TO@4#>vaGR@48k!gl2HS4tyU8o)k=
zo#&zXj8vi>2fE*wg=)bFMtG5Xd}&qn4*hr4^iL*^fCqUuh|Zhm!;y0!FTjWAbh>y}
zsF!T7zYV2y<!4j}{J5>5V$Yx4j$*It1kNcgKg>0;1n-nUSx*E6kY|c@l0=K}p6!3N
zOGs>jelsy*ANom%YxF%Tu{IKT9mNds=KhxtKL}_l>9sfiWD;=E=?nHR$Ps<ncxxcQ
z`N{U2lpI8{(Q-^P2UIoN95s8(pn;X6`MWJP{*c@55Nb{kmYg;IpEFO;Ggn8BbLt{s
zjHPuLNI)MAuamZYr>wNoXws)c@<mh3A*;7+&{8&^7jE|~Q>ptUyDyz9GA$u4t@wm1
zf+}fSdL80-SjN|2=$l@{Zyx&owr~YXz!R{np5|HC+P0)tssh{_66O5~lQ||@^fn68
zyZBu|jn#-#rzIO9wxJm1g?Ph<P_UU#k0BW)UH`fkORS|ghCeLbP~@%e?6i35EY$YN
zB~*Ok+<K}r-v9u7XCji=I10QJIrh^yp>jrYYf?4eGdNOTZE^9{F2C=Pi5BXMDv#e<
z$=4fUw9VzZV=hKUbHX&s!0!$3N^@ukRzc|Cq0EUAdy?c{v0O`pg!r@C1I48H4}R?Q
zz6Hso3XW%GcMM#18_RCf3UcPYoKVTxpu{yjbI4ddhk1hx;M<;byP=G^(>7Kk=JGhh
z8i1(-T?&0^|H(D<9*Bq+)kB|&Jr+k6bTSN=)uVz=Ab|hG>hq8peDZ!!^hiG5G>|}#
zCDyx!`|wGzG{jen<PrP{K!)l~X$jepkEC*8{yB(1wdrH7j6o0xX%Lc1Ji`Gxui#NO
zV^$e5Z)2Yry>w17a{BDjyq7OF3NxbTGdLWuwDfC61Qx2Nv1078yl^6yC@enweptp=
z31ZTn&mAonTr#pdutn|OQ7iS=R%sB~xKl(eH8OCTi0JA{xD&PvztC}_wEMXACcys8
zkQklHMH}9W7hM~K9HVeQh$>%@xLw)5K3)s2A-mOrIO42p*lr;11zrZ-><LM*W^_1i
zay6-J^I6=HS`ncPGS$RWmb5pNt&-5av&5S%{g>(Jt*&f+AVZ`Ay%f~;O^jha{6)eP
zLG68PHv3;+iaStQNe|rhwm%X6t{3MAp1|82qkHR%4~e3_*U7zj^nRUGmS=8~a%U_w
z%n^L+IfpTqYjqY|jtmKdj@;pCt_nDoV;Y$fZpIDUz75Obzj;Vg7N+a7S$erjRa+U^
z?4TcfDz3f-Buy!=lUgkXxlhrXFy%n3Y^s9t7%2QUBlqECT_Aahy@EY!ZRZtdh(7?H
zcMrFhG*2Lz%?ogcknN=7t|TorUgK&678eDzi947i2qG+BaLPLwS@62OHPPhr_+b)Z
z-mKQR8j|)8G4tD`N<M9{k<Yf!`{}<UkKGN?w2Q{qyZHzr$a`ZR@z8KXmV!^_*>41W
zzBmwctF7<)U=Kp#KfURqcXhRUWcVVmD!~}dXZ9#b#>j$b`8+#wckHtBvijCiNB{C8
zzC-D%4~vKezW$}N&tzmxyiAaFLX>7O&UR|_kx;8=Pk8{$>H6jx&%CZ2U?_ToSrUB{
znnslc?eGAB|Ngjisj<h-Ugslidi_fgs06HsFnUl%x<)6qS+rjk2JN-Edlu|?pW240
z%%>l5&8weZW%A5f#S590Md6`a-!TaCdj^W2!9Oq7B8}~dG#_$@MgUkhHo`{*f0q<s
zNBV{?H*<rZu{R?2Ml>nl(!GWuA*g?BNyHwA8PsQ8p9cThzJj;N2Kq&C{1VF~kZrnw
zG~Imzc1qGW_V91NhJRbY9=%p_%pL!sX`w|I+OHL~5q%IE<BnAJuICu=WG(4FZxF|{
zQ)lum*zJAvO{u!nx~jZ2pwk?5a00mvcPcmYNRGKfkW7{6I-?Oj029My*}YwvSCnV!
zs@f0c{{{<$RB(MAz2A!B2P`FJ_U~#FWJi}xC=Ylicb^>Pm2A8o$%>tF94}*;V(JmR
z(;eFw5Y~kE5Cf84J5OJ2e~=siRY3E$n+p}8;hGP1QAjJrYn4blaPoox7U-QlW*1XG
z=b?F%tTeS6n~Q{(<hn~s5-9pv&KCKtXA+Bf8r7A$*PrM|XN=t1lqc-$7gVsL?`K@A
zuQX-G2Odk-<o{3uS~4&BC-qgCsX(=lP-LgTsAEA~vmYM<oJ+B&M@{UsiZ>iBTzQy7
zU=mY^9uVRU5<ElKZ#`D|w@QR*8qd$4dWQAv*kJXtWMEQ+D)H?NEcd5abMIe9AVI+Z
zc}(alIm&Nr73&52yD|+TEv7ROaf(r|B$!_7QBs2LlM!IIGte0+PT#zWvx^72oxd@#
zk6P+i7P<Z4sj0nFQm1D)WdgC}24F+lXkVDRVi0j;p{ZQ1o*u(j8fwm+BiZXatzuy6
zOmNNTv;uaSxzs0tE+y7#VVhECLlx2r_t|4WR<4p`WbnwCYF)m6>W_R$!E_&w2P5t(
zIo^sroD6P&WAYW!>`#}IbajlWZMIGp^JRoY)@;Q;-|Q{HmEwDzZsK&@DiLk9?~Bt3
zwXFFW`7O+M`KOwXvco>T#H8fwP~Be0!Xwet;jPmQvPY!l4jJw|B&@8KLCL!<>)kR7
z1}l}YaB63+9tiBQ#H1K@`b($ZJ86nrS7_D2-JO-LxD}6c%wB{vnyM&_ZI*>rFQ>7Q
z`5E^0A{6c{zH?KfzIm%U(WF_&2|R8&w=+-mI$A_r6}^1IOzV0b)*PokmseIPMEyLL
zdLa9t<shI}MH;@(M?YHP0^%m-1`ufvJ6wO;U%&{ulowz)1`Hi(B5zU4Z80RvzQBp5
z%`*iqiX1=rMiRTmzdF%K3UX4pyU9sXJPN#y9YpR6iMK2)q0Cjw<3S0sy0aTZNtc#c
zKpUGTD^(NO{G|CRwStiO9%vUMiN;ufV(|xdXdAq@uX(?Ct1lFo;f7!P5LWDd7_2>)
zgHk9p8eBsHo4$eN{;9ASib*nu(zB5P9zKd)zOXy0%3M$rK6ut2WHp@c80)69)?ioH
zuM+A}c~il8)b%=F*rTm$+d&0S5~am`BsPtqu=1k0)0lB`f8`6E)KG8j#Io1j1;+O?
zQe-0M-`BIio5Fe)Jip=d`*HIcMQ2NLizu9+-@9z~+$d1RD{KEZIjUC1o_VTkcEXPF
zu6Rcsm|nk{>+!ex;5VfWcZ6d>(SDSbJ!g$ZyQi^Gv*A@*L)Y14x?Ch?{$q*dGX^|8
z*-yoh&&yE_0>AiILqml?OiOX2whvQH17p_x206!UV2MIs?36=48MY&e<t|f5`(>_B
z(YS=9kh}C)qZ6u90aT82bwqYx!o)OkS0KQ=h&|lqNKgcqlf|eY`||tm?KiJhNvoTP
za@(e_H&TPLIjZ_HY8HKR@3Io|(|kpWfK63O@3w@ec<|s?9{gMDkPk$tRW-cUw%6Vq
z-x7uc9S!}7mxILfaXRY&in)J?nBS`k_`UzvT}f^6Cc7P?PTtp16wbTodw!6GTmY<<
zPy0IFgGSgx+=h(LVLV1P3kj(CML1pKN!*x1Gs&#P&{ZpYF8)Qa1Rko|6Ou{Epqs>L
z7u6$qM^Kb$*;9+AjY`Wpj<N<Fv&6g-qzi?pL~#-NJ5tzd6n~YrjB6H!d;$}v^Bb>7
zOJ{=K4rY~72CS5uL4nf;6y^dM#^q!2SPWCB1WV3}O6Q<B8$oi+w|uVbL6%8kNPqGt
zRpL3E=vZ|_-ZI$tLMv>IsteC%gM$E|nstPaE^Pnn9_chVa`$wUs-GpJ$eqRdMj%0*
zmoDfU#&x5&VF6pgYeHzwkqiY0*4NpwcWD(WO{>gJKx!8s5cFkpzKHJkI5=@hZCIH8
zhji(jNYdCB$+?u^l-5I@ypDn_f3>05bO;((hI&hOTV@YkLLr$5>nt+=>QTv|c21nT
z#S{S)L2h*-*WFP3%|Xw0jAyx_;VqWUj=___{_5j+ZA<faL<kJv;4ZGIXQetJ6e90?
zJj!ek#afF9H%+qSPgOSDHu-4jWhIjV60*v8XNurOLY8r7a7vmu>F>mfVSmqYdu0Sv
zO#=13%JkiWV__@AA`HJ5I&Y{Yimez0+LHz>N>&l)PzSgg&Ri{5w+3QRCl*ONoPniP
zQt!O#!%%b~c+S=kZUz`;v|#$n6PjS{ed~r+TI^(Kv*;PLq&BiZxp#=-d8tt?F_L5(
zscrtlSQ^%UnAzK-Pa1kUTjEv%U4v{7M4cNVEjiB+jkYSvL=U>6lW>$qwZMwds~O&2
zqf^jRSVxOcX>DDTnaF+~fDh8tNo*_!?!Q#e<?&u^=0=c0|JLZk-zvlXTT~^>F?{(q
zt`wdt&Xy$qsy=~X{kTxu9!IWM?N<w`dv9DaYUt-wH${dGPm&CIsg5JP$1oZc_*#6^
zDoOkLP2rYx(rLzpXbi7?#2LACLDFoOBpHn6PCHRW7Tq7+z_wk=g03d!ui%uMB3%2P
z7OmZK){C{yo}ir~BC=jpd`{bNB47I&E|EELhGG^U6=JTk!FI~MX=q02R`iL#FQvqM
zACC6Y)?jYv67h(pS~M{m=O#tzh>5vGp)rU$t&p}y9&P=`g@KkYSCRd~X=;)8695hQ
zXz$<#KoixyPJ$YC;UfiCY5<RZ_?emJ#$fjl+nUTkDXt8xjoyzkAgI*S!I>>Xu+<~M
z#P?oX2YcKZa$O^7l+Qv?%xy`djX#%jQg%KVZvFx%(T!VjCiSrBi+|+d5IA6&WUx3L
z@1$fwnWjmFIA<&x(zEN+({S6>P+}9b_vejWA&OOV4xp+{R%F-X!%92q((zf(6X(x{
zn|tS-3RW2D*9U@@3~ecds29K}U4_23=|^hYtaHuDm+b(xwNj`l&zwZ;L02Ut9}_AK
zhj!~$m`kGksuG;OpXYw_&1!HWWq1WsLMzH{+4oq`DC$#6frL>Qbmnibvz3pGZehG2
z&u(3OsZwV_VONuEts)xLtyvcg8}(%3Qss^#?=?^I+Q|0<7#FvyxD=&-np$*xB|bW(
z@>tZZG<FSR6IY7lbH222=Scw?id<m9Jg;n`8v!QpU#vu`@_Te+1&u_*6HB?6$ZjVy
zet4p=;+JW1V+RT$f2<4!MhngT3iX4pb-r*V4=n#2^K6Tqh8vlOooikv-_~xoK|hy>
z`d^!i6AOk%HwcfX+Ah~!l(lNhBY2P^63ot8NI00Pr0`M~?MMM+*I}4rQOvy`Arx0N
zUXpYCk<7^3FY=)$D-b`=@A{0_N;yQlGu+PvX(AdLf=52yI(H;HEe@x%GV{5y-6EeZ
zG@HfI+Ri|9B4uPJ@u6FR`r3Vylh)eGhyFBL6E{d5CW&J5rye$~nGMN`lT%g(h2nzZ
zta~-*DPhE5+g{{VMtN2l{cCL2b<~yLQZo*!b=A&v01Iw}cYM?+(@H(ydiMmms%fi{
zSU3Q5h@;Bcl-I+4T0<L3s%`}q7`hf5Y@r`l5L8qY_za;mI)pZa<o0ab@aX=HKh8<i
zp1CChbybw2OM+lC6snLfPPil5uUy|eZ(Oe7tl}X*CjB#`kNSXAy-2Kl<93QTzh$nR
z*0x*$rI$sqG<{QffbL8=1#`{n+kj8CotnM9)iHs?dDg<_=C+1j5aT2y4j%LSAGutU
zePbQ4T@eXrM?fV0O&So`3nzu?L+&uR6TYQOcCu=ym6NmGUE>=W<bqj8ct4upO}Zz-
zbmM%;5m@uzC70pw3AK`Vvvko&uHA<@HIv0=xC9n2ESqSCw^KGeNIEsBHV{p1gNoOh
zgp)-{nah;Y`vSTG5s($?dp*a|S4s-TjG8WUrCu+UqS53=qax<<5VI(zjB-QBatXuG
zLcUxsOdHUDL<y9x=yjbU>K>EN@)^x65V`_da`_5+3}9v+Mx1%UYJS@os`QwKp_oiE
zVJ87of0Lg(d?Z3j3()E9*{Q;*PcdCU)QLaw`^{<KkPDkTO89nw9O?IC+MQeAtgUOf
zSMV+yw^f$(p_6PK$EuaUJl=*QGh1V4<Ehk2q6^!$?amG9ae$iO%m@1Tmdz@r93)j?
zZ2aZWbIKT`9%%0#EM(wy%eaaPSq(~bs=*E1=ehErUg$MJ?{TF#x#Sh;%CitUGfa_v
z%<;C@IQ`lQMa%KXD4jHs1!Ucbm7!#zqe_;b;M-Z;WDz`qk4SV0_t`?4v9=;_bz2<%
zU?|y5ZloXrK6-ZL8-jLEtMF<Y@`NAdq^w89>pFI+<W8CEa6C}tr1Qo(S4*eS8d+gl
z7Fk-a4P3cE*tgi!w%PGW*we4xX*hbY`Jx@Iq91rpA>~9r{qh(7+7Jl~ywDjmZ7NZl
z;kXa>g2VW>4+U_AJE|mKITN+A<5ZT*{x#>kTo>zy7&=;RKyMS*IcvfFyXzEFq4$Dp
z6p@U$8>OJ4<x(%bhR(sLoNH=~Fm7(g0b5mxrJkVVDLC4U4f#*(OUeJkj(9}|F}nT5
z1KW=wF;B)i4KtZgpB)wl?67zIBF2-NH=))oLwop}92e=5_VrnNb+vd=PwbpU_%qe|
zInZ{mEnz|_0*!p9Cx}ZUHnbvTiSa4rt7iqIoD40y$sB<#!vs?g;==Z6TRDlRWq2<e
zRx^TO8XNXr<KiYf0;IyjwYf9Ce-D``Q%9GWIP!q^XrTm#F-TN3HRtH$3AI;1uc)mA
z`b~;d<+4RVnq@RuWF^MbIg7<cL_{6e=nV)ZNe*mzq|{mYpt{0JXt#=Whk!5H0G?o&
zoeIYDysTgg19HGeglv?Luc}-qifZc5^a?JE14b3tszToID?zpts}2QIEyRyuH)I#g
zonf#sVAK{w8)qR@fF=ZqKVPST?vY2ej$^~!hR1z`rv$p3;de=mN+QA|{9-@tR*{>s
zcyCMb=6Q@rG(*lNV~R}YqJ09$I243<EUr}+CmeW(Z?t~%KZHjQ-JQlAXd6|;PLcgX
zj!gZ(A-N+HjZ$x90*1HOwPaJQHK{`7V&jmH>xV>lavB_VCgy3S#OLoV%4x%6hbuE>
zYckTi3B^&8&dS`?gSL<^6AzvD1!*`!PBKd(Y8)zrrM~wRT;dxXiZMk>EqK(@XPk{%
z-<@6VDm?^q+`c6vGR+TO%EX8qg-vdw63Y|3DNszaQra<8RH#z*F*@8Yt|!Up60*7x
z)RwSGOis-n7t8C&0^PL@vY%MUeIs=8Vi9~)1CUa5PN@alX0om<2E32~=FaCU>*|(D
zRdh-mhR)J8173vozm##kYw-2viu5{Z*v6A7rNoa#P!-`*rpj$x8I~|rTt6@Bc&aN!
znqm+->r5KUr5XYg4R{*dok+drbLJ9V^RGhEhd0uf+*4APo9doWZLGoTYjJr}>*Uju
z;fSKY*aZYd@$5pPZnJ9glrk~>u(VLoK&{*zAK=@T(E6=_yojwOM^l-kf!CY+mCoZ9
zblqQCaxA?0lvJONW8P<p%~gvQ=2z>kKiVAT+_si@^^T>qeD1+KN1iA3e<J!lSL^-f
zag>r(F}rkA8^tic%W87uB&;h<*M9KZm(R0I*d0G(y{*^ZDzod4ZubJ>L&nQ_Ua8-E
z`BiRR`@f3h^qoY^8;Y-f_qI&g9J>@nisT?aUO$X#1DG)LeTK+byCgd6JThVC59_B^
z=;>dO-)Jl8Y%ol|jHD`*i9#H8mT@GIJz&lxXywer8_a7B*qx+D;bU7t&iU<fcv*VW
z6aWF-Rm#qZ7smxQFz11WtCoMgG~k5Pj!Cyk9n9c0>cSL+Hb5CINViW6Ka<xID_Uw#
zsN!mj`^e~c1<Ud6;ISOQsrbh5VyDK`%N}H3={`kA=QOG;y?&H&14VELig^e$Wr<IO
z;DeAoFzR5+=I}SOaOre)gb&?&tg(DEarF3FyJyMB&SeKvAht9Y>R7KH?1X!t1^KnY
zHlw~Iy1^cFxeu;SUr~M%F@(bB?VaA5@qLWiWVXkfu*v(y`4;!%|J$AEcDlJ5ET6>Y
zRi7ssQRL<Os)Sf=H=DGpkxTw6>r$7L95Nm|#dorv{hBg{)Rm`|bZSmAw=ZN(+@8Q$
zFl8tt7Ol$(mHDC{X(f?Sh9%Aos3c^ps~dQGokAFpbvdTN08F<kmPo8@9w_L4b<F6c
zPJJEB>V8!y=n9Cb;K%V<YbPe`4N>lx>TE6v%=1m2gX6+m=8&9ZS6&AY{AIzsZ!Ig_
zD5T5U7Q&Q_^JLE<t_Kd$nURj?V8A9R3ar#z@kBf=Un{d(Rhfg#`9)b0!8N>Y$^&W2
z7bz#rg<f)@cEM_@DRW37NbAv3rG_YC5Sl}l8%|^UBxH4^@FxcfzHICBLPW|}_QF~T
z6CbeTai}S|JjA9r?jg^Y8Q{ZhwBPZ^L=L)E{E~sYV{p8400qWn_{IK;W3H{{hfAGB
zee%{qIUCRr7(sM*%VZLSFhjYX*p>KizM?!tVT`;^0mdBVk}!h=_JN1$^y3Y^r&SR1
zo9CJ0PBkr=;jT(wszR0{q_+k?f_t)QNl%gsIGNe5u5jp@Mdna)g}%1P$BCUFDcg*P
zxhU$zDYG*Ec<~If?>nxeB3_-VjO^a}4ZJmMoo>hgahpyn)6yyEnu(HUYse$r>==Y+
zlxDFM_E~o1ahU@qVc&C;sXtNc_Loi1<*wa<roe9dAYKONO@-tY39!R&x)+<??=2id
z_*#J&-M;+Z-l%6JDX(G*LB`rSYR;cjFu!Pa!J%<`)wJ8PJtwwU6K=E)PeK>b)wrO8
zB*nBMt5s?W?U{lVx0|!`u=(}nTPG*=vv5~#NSf&jFb=n>IF?HseA^0dzz{i-`~gEi
zL~JiuX$0iK!M|A=IZ{>}dyEWamZIBNwdsSVicYqfl5>na>1BGn!NCA@^%AVDzPHm@
z1MCo=?<3x&=R$`(D{y8rYPH~<Z-cQuoo_Q>x-^PlXKnqRhm)1lySumh)6dhF!AGO=
zXQ$d&Mah%A+9{+=!oE$Yi^X4nb*PF5C)VuS)4MYGc$&B!^n)*8CyJ9Uxc9R8BQ5yL
zhhIKC?KodbqAIra8D^^=FPCNg<F{cFPS>v%Rz=^PI5}rec{31#@Ue;z{}d(I({DAh
zi1XlUWBqXK!Emh`%{OL$^YMQBxbt^*^YvBFdY@S{X`4#9C>(mFo#Eu>>BoFsoWH%;
z@!`Ccv{v+6Br-D0*3E>SP)-9~&~u1(^I+4G%t%=DclYsqI|DR=a2y}0#$wPoTYl^}
zvqk-Jn?x5JSp^7^X_}*iF{OlGOkD53)eKP@em>?J68QOb8&7NGK@PaHQ}T(+PI)A8
zR+%tJe&fK`ku+=O{maJ;3u@XsJtPCEzWY@M{^9Jz&SkCBd2Gz|hUf%|y;znR5kJwl
zIZUA!JtKgZ=euKux^*!9kV_CZI%>INXb8suSyoh~tS`Kzt7UrzY!jsIL%S*W-Nlg=
zkmGYSAku`89f@T~nCHva_XY4QJazJ1TXHV9U98t1vE<JW%NyxQCNF%(rr<AYm=bj2
zH&Ywv=}Da5`n31sDHY*lwifXKZGSz!1pIpTsP8g2x)AYcPYeHPTkOTV#{&t`Kdg@I
zC9`TB2Rfy>`e5?SYXUA{ao(RguLF@jy=$CJ+6kOGyM!M*uQxn2o0RZ~Fa`Ibiz%23
zZ3|#Cm(>go5IS=Kb8h=aYgRLC*D$H~Lx&C1QFIT#&EI*1eV2N3Py1-jIcrp133GUD
zo*!vd5Z`?Pqf(K*;@^O8yaL;;VU9?umOQqWJV3~hUgWIU46ScssX#;rohbYqZ$u3!
z=~$%Z5$`vkcX-xN+bYs4RA9i1a|%LUU<QuWQXSjL+aEitMOVk5f)10km8V>T$kZ|r
zQd}X@iWN~mJ5&2{xU42b@jKnQ;}roV$%3$k0>zx0LHQyz!lB&pghgK@Vwqhrm5yY}
zrm?EAH$&OfvL)aR>xV!$G$8}~Mr-4FBIsoyUz1LXzc-5ZqmFG<sQf;B?J^VTd<86R
z^n1uh_zZFYM><Zf@svvS;E0%r%k?X}wZn^>X!#@RbyBp}^g$2#k{rD5W9tPJ7INwX
z=GmrhRCQ6jKG_Ch2|8Kxpdo#5y|wu7qil*0Nw-e!@^P93lTZT`wg&&GV|{D^clm!R
zvdx`)=whvCIleAEM$)uzeG7a(&S|(8uD%P7t^HAT6*^r!k``pf>3**|Ww^Op{zm*C
zBL|GPE@J{Q5YTQF(EnrPK=@xqj{m|;_jr0Aa3pels3Y~fn_UuUpPRB|XkDxqn7Qpo
z)U|A#t;gKA6QiWA$tU1|+|672JwFTYK?viwrcYlwz9Y7YfvAUcDsw&9UZf_o(ci6n
zWw~EaOiS7Jp<{BBa$ooq*SJSvM6pmbw|u)+EuOjaY<EkIJyuI$U>9ujvQRunAL0%D
z?H(g=SfIP0pf=xj*4|Q9IWGgz0~*=69{UwnEUo#~msWCsl7_ggoe&@GUX)%U-s|b1
zk}59UCHl3KFEy4#496vSy{@bv-Ax4zg!YH5tP^AO_dFeLcv!Y8FJ}~<M1VVmHuH!!
z?)Gjv`q3c6+arx6RgW<5rLjUJZgPAU8|CTlE|7kUT3;2$+neocWsqgWW$0m1PL+ld
zie?SR+iN8`gxB)haQ@ZpbzHbv^4i$=XEznLxFPV9IKv-GP5KxmkTql`e6Ge}dWQLG
zsks0zf3!8<hl`?L4{KFIn<;T%K|CtHbHHKC2|!@2RUgip$aFe}3X4F~r-GNO?^5ms
zWL?l4p_uRC@~RsW5+*LiCT!c7RAbi7VGf4wUt69LPjk`<MWQH0tB!LQX?4A#bq4?X
zJbS*UaUTl3Q)G#}8Gm&JUly?`O3gfB5iI^Z(8d?5!vq%iUnxl2$TlVG3gW=`IdZN@
zWv~jP3A!a7u6Nl<;2OGu`ntE;a0hNA^OM7ILA-R6S(8=7Fc0F$EW**l<)KZAvz67h
z{-h=CyJnhW<uHzD;{;h5<R7q6aFg2uHiheW8F^1nA&k*5?;*FZKCrfpBkux<uOTJ?
z-9}`>9@JSNmgHpDHXEmXk>HWev60M!*0GV<L{oFg4X?l3cu~;+kuD4T+=AD=*WH)y
zMtb2<u_#0RqnDM-sG=<oTDFSfQ-;0ytXOWAB5R)7^?@GTUF!+@?!xS5NgZBw%YqCp
z6LY&^QB6rdgI>S9e)+QC#T5PvTMasWX(xpL-7Uc1)r%E7Gpise`iSC8!%zk`4OQ|>
z1ZmX*%@Uj(8Yd~MkPNCQan3VA6$Fk>T5dr%5n%KSf_-=C1~Kdeb5I!I32^uN6zJsQ
z=lLXX(no5gx@XHHik_J?Np)c@BP#Hec97C`$=HQt@RGR$tDkLx1gK)L4v{D3L8)}T
zE#BlNu#93)s7y#HOmGZ<kcBxFM4YTJQIwN4?WdA~kTho|r5ENP6B8MC?p#smwM21K
z^S0I}k(BEHfa<BFpCYr}cam<EwDGSbP9(Qo5}E)O$nD<C=LHU!J&d<LGov#Nv6$<W
z1=-Z%8#;@4#<dRKcmo8h<o5rl#j&Orx~af7yY$tjw0UF&O@H~RCZF2tBxddR21!^G
zpt5C_K~r0be?{=+7ZZtmI$~%)`5(6z2dfqqj2i)`hQb>NWWq`HO3O|lmBE!<BBBj*
zO-e0Da48~z2UCM`*v4~rkdqHE>;8ZyDarN{@lm%iL*tsN+mm$ixrj4MJhSOh60O3m
zYat?B0%dEl#UmVKM0f_)k_G;z{36I9R0jArYohIZ+kE)7MJdcOguO$}E}{-N1!6-;
zsOk(+TLkJUq?yIKQ2xrjo;C}ck(^l1vls%2!p31-phLdI5%kA7(31Wx-4#9Fsnv0b
z)}%j*_OZiQ>x-LF09KdeM=NSMYum^5km4FViZ*C@x*Giu&qmhM$i3%mVvC!Ae(+qc
z?H+nQKcao#Hsu8p*l+m4#xh_SWFo%Q{*#s{NNm?Nl*PzVS+&wmB{1#uN=;RmXe6P5
ze0$CvWQX=*lxZO?eJ7Ei7oUDO9c$W*Wtdv5EnFRB1nPE=bd%l&^LAlAXUG`DU~*3L
zqG%cC--i&E8yke8H?nxV%XmDF)7l*XH-$M{5FX5&h}s;fDy<SZx-KJ=+BGvViJNV1
zis#o!rw|qJF{Rt+BAnU~a@a>|LJ|Dv%tGvo=a-p0Ori)Ou2Bt_sHh1Oa+A2ldC@-;
z^=k5$Ds(crCiP&E8O=4Zjy=5WU1}rvp{+CvU|ZQJpBTIEAGaQ!i4L`r`0B{{m)`1i
zah%x@gg|hbGAw-$#{NR$1fE2Z7tGK9;7o>0Q4>6(m`b1|m?P%6zJ0O@gffQo=Z0v?
zUuum$2}^D)^s&O3c1Aw18;V3x#L*0Kl{?c{=3p$kw_}#Rw<r;VHnkSe=1zqV%zEAD
ziE2-ub|Ns^bmTgT8J-x19>*l+S#i};JZbgs+b-~;`rTwFSbG~jt$4k<yW_eC>oJQz
zVUza_&}Of308|B*s|E*eH5QJEWX2x@6ig%%pRIGzJcLcg=n*1Z!E<^iAPnw@$Vh4G
zA|{|6e+9A1Y_-NsYH^KnL&L$-S0#8B_h~D5ow~&X1ZnT7>rxc$6`YqNoe7d4YNYoZ
z5J0J!?dO6if_vmy?=IIz7Wh&Xne)Iuu`7JVcQEA}RVnh$T+3J{o#%$Dg<s@XFHW0B
zRBPcs&o+#D+Xckx%+#T}Y)aTB8uw$#^s0+~$yks@nu-h>xY7ow7V%9Sm?V}}uknoV
zD9G7TuxZj~ll_~Z@TDGyvgPnZqhfISdq^ikWSy*zI`CV@dP0L{Xi?d28+M6W@9mti
z--O4Q%wm))j}9m2{?3Ohc3iJWXM7QUsm^^0dR%)#L?d-ioIr6W$+_8Rv2EQ||0wei
zY=2q(A`ezYAbJgF@u#Q4G{~JBuWi+T>%n}mA#|?(LYlbE7Uqw_5j>omVtop+Xo5IO
zqUbu|l*;c-bx|Q|Q2#&?V+^UVOtQLVdJD)|8~E}sx%_|!TxTaYCEsNqr*GBfg7V|9
zI%*_j96(p-`+V-yqjAb7S&Gzk>+!PIz9n1ELTfHNv=Y_X$9ljHY!h(z4RSB&@h0bs
zGPr~;{;7&7HyBAO^|e@Bo=E&~6+Y!a&ESz9k7)#^?r()^f%5B>F!=<yyM$#MyQ?NQ
z6@8RiAt*CbzOLh;gjh(DfxjT^ZyU)3f3gKdCGsV7Wor^^S28(j5OWXH^^n^ZZV-iQ
zeqQjVi1c=G8H8BDN(f2U)MX;MOF1mQWVrUI|CPDSn<9Xyzv|;wBQL0?(u8pY1#97}
z(GKXfF&D?vJ1(DH(o|}j((=K`-=N;NkTR$VDE|Hf#XqqFUNxpGp^2NIp*30hYv96a
zR<u#hcvw%+4*47Qu-)$TfjI7aR<1Sb+Ak&}ow0V){1+aKDRXX<xb)B2^305p6F{Qd
zZbQ|x`8XC3G!|O)O1F3fNgW?ZTSreqm^wG6TUu{X)s68-U`9vpv*ZXmax_$mJ<{z~
zH5T<3(yekC+&!RqiLCiy4qs|RX}|}PV%eKUtw(mwnPrwFoyl16>l0ZkNRLAl%{M90
zsh7K1tSaUi{V^G)xlue(lwMgsz6C&T`rHD$zj9FTz?W9b4tJYObfzi`TB6}%KQ1EI
zXmacT^}g<#BM$o{H<n$SZT<OPL3WZHDSP3_*?n8^O*VIw<<sRS_Ui<fg91g<9jZ6`
zgULSJTeX6AA}ui?kg>nnOa-Z$y*eGzN(Zr4grySn*w|GzTF1U*2g+Xu;^(0K3;lLe
zN?l`*Yb3dceqVerrO={i%1gjLh{*A*@$F?z^%*%FR_JgVKW_|lyFuaNpF2yU;u@L*
zm}iGA>QJe<bC`=u*sew1PkHvZ5>U~-U?wM3%P1>k9s8jhTdQ;aGpRaq9fgUr4U1Or
z4Ccqv@A^~Ga1ACGc3I;nCe-uNTzmTWtU(p&X46CI_4?mKK1A@1jYtcZgD0a(UaL;b
zZ6_Z>4Sq2tHqZa+ugKlk6+!M8Wu7EJDs>u`%qZq&AVlNFXbzN@_DuT`2Z0+UZ`!yS
zZs9&FuWNrL7ZWnGG-ZzaC3GB!#Me4NA$zDgF<_XB$PB?iLta}rK^TOby9`A4>Gz0$
zI%LMfo#o5A&IbjQQYWw0Dz$HtnWLd|TWWD@Pf0NZxGtF{9-~S-m^ec_Y%3dvI3bS1
z8<@#K|8SHk)Mx`rBAiCWI>NP;ud!lVl_$oc3qgzjHLSbAM=~52Zv|*byd#yn%kV;=
z@YI7XyGD=uWFWQPNAUfkYPa?U-z`lac-P-4-=jzG*%YvuFFDa}`fLfNwH?ypi412-
zU=Jl{=qacV9)~_|%q(srlMHD;p+fg!?EOPdgyn0bn&>CQI#3$YZAw1U0iKc-*j`{M
zhg1q+R!ysNDgx0}(Y&N<OT~;+DPwGLZvtT!(H?cspHTkbVTg?0{Xo{&IY9m#QWvNn
zFVlG5?M+NJm~cN8dTRM+KCg#a*ZZZjoj{&7a3vjRxDUbd?iQA$)KNC|tIt4726S?=
zqQPWVyg39@HEq>@kP4c<Q8zFWB?XMi#f*%cKP?SEhM63CKewwri9twc6LG={5r6xa
zl;F@}V|qfY9{-hDItvsMVZ6?k1lEywZyIBxoQ?XXGyQ%ix$k=-(WYK#NQPOlWcZEI
zim%v$vIytV;9f1=C_T0u0&=3`U1$!|4C~Q9UnvF0Y*M|{7vUJf+O&O94~JRc;>b5a
zC3!M^2mC<4IG8q2_%HDd7y5^69U^DoZWNwj+<tlaL@4J)74-dXla_$7QXFXswE{hy
z(9eL4Au6nkfi$zak=;1PV4()p5@z-CHv&>V1`IeZPtE<;Y_bLHiJJ*kLhO^F9BG#(
zDJa`aRu<wC;mwS_ci0M%_yurC&cWw1J7&>W6AlV;DOu_mGLulxF>%)^)AnxKN*LLM
z(ldNPu7iP}D@xQ3_RWyKh-n@*F$tyKsu_3;IFD~I??Iaq;O|~+wV7$%WlY$!cm^<W
zm56+s7K?Xh*sJ8JlUZ_qbTs$i49t2bZTUlM*)f;KI7XpMzW@E(-{3aBvG_z25^^7G
z6QxqP&D{=6u<wIh>KKBECL;3dG?-Jf_TEl;pYBtRq^28EuY_BOf#x#-@k4M<U6%S)
z9rjAsumWAoR-|m{bU_SyEU9I$@_kxNZt6DL-*&0m;5>qwcG2e!YI~p(5$FisKDJJ(
zLN2;w*nXN-nvOOA5-&d6DimKav(AMNc4Fm*Z{yDMrFHNTzT@CWYn&NI_W_o>Vv-^^
zN%$}#h;xn|^OZYxQxH7;o#oNh5|npa{p#m(`F&nsDQS^XzIfKXRs%u8iSVjm?1>c^
zh0Cq(n1aYH#Jkm~2|;oNsNeqV`O`b-#7!J%2B%z!Qdo}<PLqn0uG#sR@q?jvp1?5<
zWeKDf{eG%KJVO55tWyu`Ruz7N%DvzDeFW;awQgS|-QTZGCh%K}$NmxWVKwsBo+Dp-
zFGdnbo0}lwV*Mb2<#=ga`)Vc@F2O#-TLTsG@EE9|XBeH~zX;0CfZxS<d}LXL-I@IP
z-AwN4hgLwSEXoTq8HH#UXEFu<=<Fetgw^HsSSlF>!M_J&+9A?RQ824S^#72#SxaY7
z!HwB!Cg2zX!P4fV4flj(=2=O(z%bgV`d>qoWw0|Qesc+<TM(1MU05=#8@d;}wdB~j
zP|nFJ0@3mz|I5y3{(83J2G-Qy{ZDFOnH42LSdt7`k6c2+3_ins4x$RFy*4Fy!7CwF
zVer&0!TvB_t+@Lyh`%{ZDy{R750V{@Ij$Igy-W_)0~7FOD>kGOw6Mj}3%Z<w>em)w
zleNHTW1B+=jD>9!uCbf<e^n?U)q;rBRBCnUHzRR^6p1s8+9{Gaef>GG7-g5eb*u;>
z&Y**osC++ix7A<}iBT89i|=|TO8z>TgcF!@>Ql%6a>Dsm>nd-Hte2;2g7Vl*Rc+SO
zMmR7|ioB#KiMDNB;>a+Jny<J^T;VIQtKO}QljSAei%=RzB~J<tw-zGj_kSp0Nt#1<
zf-S8Mft@|l$cbdhDdwJ;gA_i4l&@^})>aaB;u9Z^0Y`E0SgA-&(#K8@M880f1@o#3
z`0%g>1+-h+t<m~KOKTjW&ip-U!JX%eX5lhLzGW!c0wp_t0*EKYKYMC#L8kJm&FjcF
z0mT1<uXBnKrHQui*tTukwr!rVZQHhO+qP}%jL+D<^FQ2|`*6EcT}gFkcXukOq^kB>
zUn#);Dv1T>gwnP_CUxhZ`SX%Yk5D6`S~~efq{@po8$vl#u<>5VTQ}8bXqs0y(P4ey
zr!<LrNr#X!9<e!9N`0ifJ+wTCnoU8}N)*k^pvEBq^|E>L!X?1Ph`Lew+hvjkrh!hs
zb;T=O@{rSqe}aKL39zpu7uKH*F+d(Iq0|jRCFbHUw@LT!F!PT3t`Wq<(d1@kZf_o%
z(~=W-^MFbf`~;WLOFSEQejEiyuA92Ypes_cbZV;C_{|t4>d4UGZu5L(q@T9I`}w>>
zOUHi1&+v)NkH7-2`Q06k8dj@iX&snzT@Xt;@c-r_xt#rdeLhL^?=#t}Nrr0!KGdWK
z@XoS_DQ6X;DGP8>LRJ-8a^|FkB;l;XGCE@@t-l5&>lq1VT_epvOcq(o!}O8?P!Pg}
zNc~uuDE0Bqig|+`WFTUuoM|XNp6rqlrik#@{(ek%&iXO;Ugkn$cHRb}GEXmJ_y!Bk
zOjQvacU#I+SZH`NwB)9W>d^#0R)ZG!=hYb1s1A)$&`I4P6GsU5>g-kZ>rjaq@k&V!
z!_${9!owk)-<s9++AchYXoH#*UnMi(4KckCMPbzAs&^93(dlGdZQx?Fz7cpo?eMsz
zGsc#Ioa-kcGJ28g8)sbkhggN^{#pJ~gd7HKV?GtpmqI!*VXSld`ox8hXfL4Ge?%r2
zetNTU^JOHgjx4W99JqjqBmaVX6zHU%2wdZT80}MeIHCHT2y8p3uw$8zd-4xcwP%kw
zN@~lZqwuN%0ZH$hdU#1<3V+&1%j`OF4oFL6@Y*{eORWjoD<mIv5Wl-=B~G#+UZBDY
z9V~h)Q6g$MQ<b0)YlZy*_{k+`@Dmh`<i(?mrWKM(S(KVA{h{>5N~^jWHg(t{W>Arx
zUy@+gTxUeKRru&EFu$IPEJgw<esOcm-qf&*Y$R4!sunfC&V3&s$wH@uuJ^A>v2<2=
z65}2WMLFrbvzwjN!mHhnn@cYq|LLDE>uwhojWER1GngnLZd>F~+zmaGo!>Oqp>gE(
zsj~F>iXSlrk-#nKuv2i+XwVep`MKB!7=VkZ>#L<mSCTze@ADR<R<RHHI-Ol!WONXT
z!dyVBIi+cMKToAvJ{+Z>DvY|z%>?1{v{3uF&0f+d?FROT?XRW-ob+pji*#=Rj`RM|
zEt$L2cu>6@QLPG1@g@W4k~%5Wm!gORrT?>#Fq^}<u_Or&bzu&lSW-QLRDM+uGnDMi
zA8a|_EP#)WLRRh8F7qeb(CqNNl{g6!@r}iaaJ;e{w{~>5I7u{O3==WU8-z-qM1MMb
zt9Ucq3`$VGdZ-cI;7iT-g790Bs6-8T3#{@}48k4t*{FQj+_k4>61V!X1k8?>#jltp
z+gQ@XN3FIca}xD<sYKT&mqPFZ)Yz{-HxX=fcImUz`#EsixJm{0y)K`S*cuYHs)759
z_TN+`MSZlr+%JJ6mBaPYi-L<E=~&qV3kXot5{tkUH#q>qdQ9)&d7FumhOvUzmxqXy
zWY%61Nd+nUU&PF`$05LUl=qw~Jno~~TVvv%$x|aYk*n$F=ehUc^G^6r21@GbVwM?7
zVvNa6Xbr3-I}uDquQQJL$5au4*oW?Vwa-IPlaXn<p8<Ke`vPtOcQND>0h47L5%jy{
zIi8hKd6$J3@Gu7O-t7!C5^$GMOwtY71ZlzKyFSa2G9_BKeodZ0$<~r8{B2QkUBn4w
zZiUTXDc&EU{V_ht+0)}TN>>X65(Tr8h_Yt1&B?zlnZ>FX8L=Uhz5i-;AQ-c<%F9F7
zP{bTXY!BG618Q4q?d^G7Ar-_=4#j>9D?p_i8}r}AHAQ_St3`sN#1WCamRT&+2y>Uf
zs&G(sY@G6esZ^h1%P@1@=FJ&P|K>sSQS?+l0FqBM1V0wU@X0W?^rDfz6Zk=j@HYFW
z2B%PVJh8|vT0cS<jE-B+0_6Fh%(Kx?*l5w1Ki7vP1(TQ>yNSL<XhS7@prxj5Za={P
z*sdE=eMWM;phSM6zmZd9w;(VuU9N}cfb6ZPzK_^)Dx%kpOIrieJ1TK%617zWJ5>o>
zvGVL<_ZP$DS8LtJA4@#cnzk4~RQmn7gU0<t-MGw3-93{mejC`mEyY==HF9Hx*ry2%
ztjE?7vKOu`sYHe18I~JdZ{S`%s1v{39HN>=Dp|9jtp+<UTBp4wCUhDO>fSv}i1&~*
z9(ja|!Z*w{q>7C*88J4r)1$iAsD7rd-v*BoBfbnvfrp)bK`QRsr+*ar!MpcTuKl~a
z(L%(_QD<v0Q{@s>m%5f*jH2q4rhZX$^{)mM|0`-;m087?%H)@x>|3h!CBn8s%>y@|
ztVoV+SA_JyBV;WUtPgJb?$$s#p_z%CA`y|qZ|DT+nty?Nb73u(qUIETtaEi@dT1W_
zs%U*F0~Q7mMZ1rm?y?<NEKs$bAuuC}ZWa|kC3b0_@VEFu>$}O%6UTlk2GD*M-eGhy
znK<{5hg_39T(~B~UQ$DEWzb0iLyp<fW*gOJ#?&C65Ju0=)4Sp0?6cS%LfM#YT16hF
zf)pZn%3)GUXOsMu!x#(5f^@cCr!e?bQJXUl)wtcoSegTs+8YXD8x+H)Ay6|^GrbF*
zasnxf;W0JK@2t5LU$D}Py(MiuLC8W{vjun8t8`XZIg#vli*Dn6;bnf6SQ*#lQ==p%
zMlMAUJ{vat;!NFT%K(6{Ocd6!3<e&!q9xR2``^Wm4YglVpUu_t_LV~Dk$eHyE!Xn$
z)fN;A-(Vorvzk{eOW!AyKljQ`4MYQpa{{9sFKK;(VzV&#CRXJIdVGanuCOgXiAjq_
zA!4={xVF^KZKQM+7rh7ISB-KK5<y&mef{HQU5#=I_hHRA@aI{4vE(<n=`?Pq@JYoC
z-sJVR$wskrmtaq;T5wZXYc|?LauQ+S6pc$Z7&sFdV=D4o;+gWAhruAya9~zrdc=8e
z;r5o-I4x;^NFCMmAv~~@y1GF{XSBGSYw#J28D?gpHJx0D@LAho*nKsXeP#H0OrE&&
zETOII3LS#R0^I8NMrVB}xfLFR+ARuwSw^P0xt60EL>Ud7)Wyy?DbE)KGYNdUb<>uE
zPxGRXT!c!(U!n7+Ky8=63lik4L~k=O@&K~J_kT?b+>lg18{g?cRj+}q#ul(xbe_Qr
zd*Wtg<s^<)5#u2ySo;zpd6A%&K)1u4P&#N?Q8VQ8_|f2r7#$|ziitbHL4==2wo<X(
zjn~w3vw*t#el>iQ*&{KxJ7-hqE<jjV&M3qqn@JoTsCpX$ndjiPdzHj>x|7TZwOWd?
zXdRh;(xGUK);aRk4@Ow#F8#6Tz`yA@W+SIB#yl$IKy$~nZ_o(qPcBzXLac}(ekokP
zF9XNnJax@s%1N`BjYgeval!QIm`59YTGt~=ZXe)BZI0+ZJ))IkZpZ}oagj21ZX|j5
zcTfq6rBAx|q&t9tF!^LH6f(!4S$0Yhyk&!3Bj(0ol1o0dET=%dg%k2%2B%CutMH7N
zfvQp-&T+U;-na5+pZhzqR~<JUF1fY~zQQx#>6bA}=+bqT&fp;?Qf+Z*S&<sLUHVAS
zs?rV&U1y<z-R?$B&PS^!J<~Avq&0-}zTAq>Q8t0U6-eiYyl?{U*`><|iG0kMSkyiK
zgcNWXxG!j_G79HypDnc9vHft(1f>-@2G#T*I{EU59k*^R9D&8eTJEK5M{=?>%7L8D
zbVu`!bB1ZVhuDZ$!Y4tFy~J72{ADF8t@piVKl~^KoL?t92d0itm>)A%Y~f|-Qqb9Z
zI}VIrFE2NvTDKSGI4NKW!eGW{5z|t7ZF-T@95_zowxDSdUA^Ux!r!)H<NNIC<Z8q?
zr<ZmpV+E$$3W;?GTCh;7Qno;i3EwtzwEeUUC;J(A)tE}N>MAsK-j;PS_uSmd9iaLz
z%{1Psla>X8;k^|_5%N+yZ<xCmXNWsSh4S@(0EI=kK@GL>Vct#aHp%pj)s4zT-W27Y
z1mn<O4E1k;a&9c3dcf+0+^J)*IYE^hLG<L{+pb1ctyW{02Ugu5tIm2&cB=@kRH}zN
zuJ!P4oF=hNu<u$$TkzupCw*?R=As0PY?W#AlBy4N;5#kp=1+gzWq3<j1dIKWcCbV?
z9ntcZQ4r{GcpF+Vvh?gZyV-NG<SdZ%LO7WTt-1ZrngCQc{_O0mWu%?c#^URc{SDqh
zJuaKPN};dS`r!Mxkf1wI=g$Q^jE%OKWCK^kt#k1fzcz4M3~x1ivB?sg)Wt9}s5uP(
z6}?fLx&2L}Kcjvd^j4{m+E*lRxyi2DO^3iHpwtnJJ!{r5j%eqwlTlFn<DpKZ)<#Oi
z+Z@|Lf2U|ujzPZ&Gf7cT4@VA}7uU_rxm<PKj?yK|Ih)0@wDN$N3f=?KZ;S4ejygd^
zj6Y9Hr<_iHsGV(kzsoX0vrsO4eJTo>)@m=3ea;;S87RaaQt_A|j4WH{Xn(MC{S#*1
zKw;!a^i0&<#ld%L7yZw>I0rLV|G38W5-m;Qvsm|rYLC&x`c6h#!29d1lC?9MZZD=*
zt4~07KQ{VBBJ-b<tY*5larf%l!v2_j9PcY+eWqTKThM^LN|03?-Cua5wMSoUT-?4c
zjMc~90gG0O-*wx^>-(^S^Wz1A&g#bzXf{&Lq_#`?OH8bW9c~_5aG{wqT#6PRdx91F
z!2p%1xP^t6GE}_MB%W<1igV}0wegIX@+77kReGb{Cb_}xGTz)V-HMs*sq#2`|4{Ad
zdh+D(5=$d!L1`qrk}ru%z%UjHq(iKD-)ft1?ks1qNKoV@e9fB`SifFNSbDnJJ@}8I
zqM=K3fGN&2aq^)iw=~OmX{^W8KrePIJsQB1UOhNVmhM*zN`^i``M4kOKxQ^wvsZpt
zdNFTza`B?1GsjzD0NIua$4=FcqNTjTqoN^F1ed5^qS8-0POeaxTiJsA!h*vxKOR{B
zYO^-nCrc;KyG1*YWBCFUFUQy2<G-)-r`yBBe?-L)*IvY(h!N-}lX$C$yZiqh9be<7
zE{m2H?Ehq(Es{;0^Yw9b@nC1;(g$IhH{qNe--RPPa-ozi_i=nUxMKn6EZGw8OP|%+
zbRY)444sXw^ov#<`-2ZfO%=5fxx@H|%k|-hMw6~va_%=p72U+8ZaSBQDE3cTXpx!6
zPCYp*a1}%y?1cqQ?E_HJuHNPcojEh`@WBl}U{{;$*%eKlweL0_TMdN>J4!bK#Zr_d
z-#t3zP&o4O@bYkd_3}lYflWp5abm^9%Juc}#nBZe9UL?K6$G*oL0DxVgv+vXDOiWA
z9x$)QPWR8A1qcR&lb%tpkyGafavV-pU(dJ~E&Bc0HnX)Gx>y5=O7ConSU2ORcID(G
zx`~(Fm`+K=rE4#yYpNRxzW7VQ1ZGEidbP(<((AKS+E_;@UVk1R<+fL{2e6M=TQ5Pm
z{J^X4zqtj!yCeyzBo@R{5S^9<{Hw8Zl+zJa-Kvl+W_tZToA!5y0o~eL2tadRtqt*|
zh*L;@^dI*g(lO4$FqIHmrcO$eeo35v{!b>wik;g_t>XqiMTqKr@XLAVJCL=LZSHq)
z6AL0K&AM<c=N$8x)wbB$5nE?0Df{1O9hNJI*#6AG*JBtB^4*Tu1;EV?ydnK)xZ#sW
zIU?IRWpVi5dD!Ri0AMHWB1n(OPXXV*BCG8IN6*t{{IwQ*H;N(Bq8nwlr}tqOA43Ox
z2>iT>nL4emKj(4k9bUYIC}Yh?T$y&yu{Z=URtb)LRn(xaHcLxJE#H}_NjX($5;SJl
zqq9|N*l$_!#RO7K0sro((1p(SMIcn{4tgwSWD4Y9q#?IZVn&EeMR9SYog-9B;b2E*
z3=88-T<eQu7E_cC5Q??bQd6j=A9o-8glL~>QxY?Q&<ip!)z3)q)qi{_7J^}n%+@ZC
zu5W~tMz|jWnMkEYt8m=KacCfFxAONd(znUfc0j@rdZb4}>HLZhdfd{H&aJo#dllXS
z5TEE7V)a?|aS^;5VYIa^!OVWD)&bU~VfW|XgzxNhkUlAIuN~gvuN()Pz^>OMa@oD7
z?rhw;i;8aK^H}9nq2F?%=RT<1)>dqkeF|wk!~c$zgiL6>8lkTES+wnsyIB34qRCTe
zU8T;FzD{MFNos%8=+&`D7nbve7YcspqV!nhi7ZHZVTcYrYog=~l<hKLc`u>E#}%GQ
zbO(g;i!H<z;&=at)%c)z*K?bN`&x_gMWH2;aKFt{e9Svc8i3V*!-qS1DDa15fI+<l
zFL%cmy<r`-16RZLH?pS=f9MSu@6(T@y9L*~<^L2V;<EBJr@{XKY6*0|AO>ZCTa5F`
zL!H+;YRWyQ1D2hD=Zo@xGJORA%pD*%2RiE}^NdC$|0@CDJhB&6_=4}ZFF~w-k2lwI
zH>`-_RfG^Do1};m6J5Tmg+Laj$dZug%Mo1|COi|mg<tJ@P7tXyvDfuL(aFtzB_`1P
zM6Q%a1CVbwk1LKCirx*0?VclQ^;)zsrr&)5jc_Y|>7mcC(2(7|_gzQvPS0#Ed;ZnP
zj)VR43J-|%O%ZQRO&~~-N@WLFJQVZhBzV8Z%OK-_iQ&Fs2V|t|4T!5uz;6fodvB}8
zKR6WX?_#V~kTXrsHk8CsLGXwTpfRx2G5|exzGD{wuNSGJh;_+crcgijW*m_vDe0~4
z{4fB!z{`AGVOTHb-XGL;mtYV;)d267#6=eYHUwELfDQkstyq7y`EVNuJ7DK6hB`2i
zt^o*NZs*)CM-rDk9nS>;x_$Rec5T3n=OPN$(EBSjf4O%>7Dj=-4XAlAF#X4(at3F)
zyc1Gi=vdzi@da|=$F3THolwZt%nV@f-SCVrcuZH|1IsQIPw#~qFT+$Q4D9qzYd3@$
zOmkpo+qA4p4W*bg2Qt}*-ueitPIc<N>EG~4iYak$;Wz>cNBCn_j4K}FYKJ;;Sg1#K
zL(9?MW|5FvPbB~~0T)WZoD*!N=eMRNcxx!i`3LjEF|_{H0s~k8Z(9+zxJBMOafNH6
zMLV`5YkmL37o>rcdC||zW9B#gi?Jj)vFt%%6@JkoSCM1N5M#xqN`zP$a5mhmSTzaG
z8V2e7*L-dSmkf4YyBkAi0A@c*6%9w8t;&F#bX9<VUCFPCSfS=%Ng!Y)>Hy=nTp?iR
zJ7S+WW6iiDoPi1ax|S;_jrPEl*)Rs|qOaSM;>wofv|P5b<?PlNvVb~tdvI$KyzRI}
z0rO*$ov{HoB@oR2RNm4PmM&mXGWKKIvYJ^2v-kCof*~`W8gw*Xqk9`w`T{IUu07QF
zJ0nfmwE;O|m&}WS_r~^GqZ<KN>ybmh@}qu!RqdO{3<?n2HU{97CtS$S^W=fwe?3dv
zY~_3bkAp=r&)c`JAnf|Px8`iKkUoG3*cvgN27LOpN-g`lW2NJLR;|yug0g5C^)~4K
zuxl0NUszXp{6aP2Y-Y!Eb>T5<6ji$~#TRlCzCSx24i~VH^RKAHffwx}rNn`@Aj@M&
z6k%a}x(H%YGlC2iS=!GskfnDEXkMZ6`WN7r6Id=$_5^ZhfN{B+nXH`xVKzVC7$U#D
z&Hvm!x7h`teBX7S;`V8MlRL_rXB?@Sn(k+ZdJ)e-WjdJG5t;`J>((CNYN;{JpDt_z
zN*u972iBbk<k(Wg);T27gH8y<a(10&dw*&GTJd@4;(S-dWVh59bmKJyT_gz0K0hj)
z$)mu26OOaJ#U6--lfV`*-MWzKQ5y~!5(us=FjE=|XLEW%=pVqd-05M!Wd&74`aZ9!
z7Du@>Hy!Y|WCI>}oeB#6Ww30yqvLMIFc}8RQO$bmUlfp-0K49h8B^(G0tlU*S#@<?
z{)=5;o_Y#^R1h=WvQL@Mh`|F~@yO_?UYyGRTAV2l=Dsg4pAEmN@?4$XfrVlBHK~8L
zVCP%;GJY$5z4k13nkg?9KFZcy2JFzQD_+<7P^QLRA`|V4cP=~}>pN@n1;RJs0zvF{
zW;{z`_2Xu4QF8#}9Iz@Tm`%CmrleEQ4(eA8`@jdY1hG4rdYj)`vMLcJfqUsQXyx4C
zh2lJ;jo-<-^wtCO)pa}1JH_x7jlb+6E&nQrOba`(Td3}~PuVWP=)8PhWzCe#Hh`}#
zA7gYDK_c8J8!|HI^CaSt@!=bTpi}xd5<C^Xp77wDf5tL>clJnfTQ)@TzEr>(+y_&5
zM&H6t>;3Wqi*fL13_PVPfr09f?q1i0tA>sJQnv6Y@@xjbE194V*?SkqPNWfH7|%TR
zDW<1he=cy^sGk!4(JQ#q6uD>hr~G1hOxUZLH=$Ik@jN1<IyZOCVwv5Sb;pOdHqHR{
zRMN^gRG<P9^<*hy^4(J?<d=7mop-&6oMz$f1jtL>QhYvKXm^!OVeFKvelL_cbfKQY
z(w!;zRm2wt;GZwAN5YUU6uY+X-wW4zZI3Hxb2le;$mT@-isf0VLV&NO48)AgqEpT+
zxclb&$7L15b9H!Lp-j4@Hq*O#Wf;VcnEhew&ey};v=t=}vYGb)MfUZf{%n7(jVF~|
z-I3!?5ic*Ia6lv8=npp0^n8BPVB(hVf&<l#FYkJMJ<njFxdPm$uPKdbt6B7Fd3MA@
zq4c<QCBiklsM)z4Y=UX+RR<}2@o55YUmeDS2gPTb+1@-^vK-|-AHEiFGD{{QPyy2#
z!}?lLIBXv0iKSG6X3#&u^IoZLK{O?K_NZhnee7%AncL67xXxmLywnFT*aQwo50_;p
z+}tx9!;*=7VJ1y^jTd3Re}q~w%!<a1LpDfe``p7ja9_sbW>JV$gj-n}FtU<LmXQ(b
z;-!Wpdl`lV-BIqn|H?7rE3>&Tw<JFnAqJK~B8NWL>js@IZX!}_tbq1`YflE+2vJO_
z@-uy4Ivpbz{u&EEtBmlq9Hl*+IQ>8(PA=h(Ae&X1euEgTcsiQ}JuzQf-tgdD%OK#V
z5AzL!6txnPaX?jvULPk&qw?p6?}a{ulmtHx>zENg!YyvScc=J$Rj6lO!(KM>A0_Wy
zdYubRXstZRr;&V^-d^iSJX_hCDs!g*iea9<7s;sGQD0){ty<x<5s%jT$QNNUc|+9z
zVX(Oa=&r&9Rbfd-Tte2FQ?X?w{hh!41)+fz<+HMQ*V+#|ZvcE%L3z^01)%2!2PBOU
zL`LQd^EW^C(`AMNwM3fi2v4!d^lHf}^fh?Yfv+H^AoPf|$6nh$jww4EMdY8ER$^wN
zUXIUv_~K}V$aPrNO%ACCSylx&d>KH5x`m>Q?6EJxZe0OJR;`DvRs;G=P+HY+>!^h$
zy(nYZS!Pprv%^Wpkor~aZ(RHh&bNaT9mN(6!XEG@XkfBm`EKIHhA#J&7xC$-T?*=w
z6MiBbGO;mcAWh<o^ra<8XJVN*jt^BCM5++uz}Heqe~UKk(IRE1n1+Z!ws%sRh*S6*
zOy^1l4nIu-`0b8NfPOvS2$M!As4>5h+c*Ghw|Bulq<X%t084D1W@<jbT9z9gwp+NC
zkVSbO3M{=d?WmD5B$XA)1*}4FO<mDvRg`_N?(@@<Q9FR2G?O_ynmDb_e&Uc{x68G9
z(TT}U-H!k2v|_o|_gHjBKML;yhh3^X<x@29+FL+QB-*lwE%P-)^{?NBBzCyBLDS-|
zl@|Z+I5IE`iNmu8!^^{)Zo*BS@S|JjN`Px;6`QHIZY8a%+*zZU*5U=q8=8~nxvb*k
zv07K-Ze^0p=^wFoKM65YoeLqCZxy*c94tJ*cy!l{_A-n!GW_}r*>I(uI=#Oa^)N!Z
zH#E7@?QN6M4<nt($_I(AUflxECox<dmmM^gS*IvALG703d<^qCoIRD9^T+Kf?#9Fb
z3f73$b4LIh9jk4as65nz_0Yq!OEs5CSDTz~fnFO0riabvrT%$%wH*E7*17zCrbs`s
z^EvAqYPq%>6lUL@81g^^UF$3hTb-ZTR`Mi2vp8F*Tt^nwuzBFM^6FxWs_r9tdGJ@a
z>7~B3BeTc!XGNZ~g_uo5Wq2)8@AotuYc(jwx)lHEG=Pp$MZ1aUBw}e%Ep5Fs+gMM=
zwElu**xdo;$ES1XqQ+@_|K3YAV;U`DAnBui&mO)QOe8Q5PuzF&v5KscXvk>}vb)YB
zZrO9Mb|{5C+QS`2@B%{4%hedHTXU36)<b-&6>4Yhn!&opz{22RUZP-@2e1m2SAAi|
z*K*3Ez{-B^M@@GJRFK7B0AmcV)P|1nV$)-P1mXh}wcKvAqdk5Cn!OyN@VvSTo87Yv
z^Z8dcKEE?`2HKS*WjGCHYD?v=13hZ+-R4sx#IJ$iH3V1`)P@(2_o`=ZVi;{GsP}e^
zBuu}b0@(-T%zwM(#Vl?`|3@B#t*!@D;W569l_iw+kwKKhoWAZ!;p#Nyxt03~*iL@g
zyc-W~eE+WlpSLgk1LWqV;M1@kX<ZAWkhu+P1-WCD*}b`mmpi+&687Chdy3%Szw(Ig
z0(jBK!`<vS+sR7AIUPENF$)=@4ZSA5Wc^c@ps*dQLAe@vFP`Jve`Vn>1>sBSvW_4U
zpHF>JzBaB+c>%U+3Eq|YBfpJb>hW&z?5KG8U<=Qd`d7go1i1L>#_&HBAH}i5p8Q{4
zHO>uAO9`_&c2;j`xgoLS+@OcjRy3D}JOOBGAAj+{=7zr^9!09%UE@{);Tzpu+GbQe
zoSZfib!!QI+}W2g`8aYDa)nnoa%HS_Ns0Q-VZrU*UmPWWh2m#D7-9>9n=w?(V3@}+
zd@BMYg$gCwnJC`Ru@sGMYK_*Nn31Aa^U}fl$o|Z8Fos{%W-HA=IR)~ne7p^wrbxNF
z_V%5YnCJS>@Sj$^-#>u=E9uxic_2<>1OV{I2mF5|9k9QW4jTho3sV!P|I9h<Y?BiN
z<FXhKLT)~xrpC-+VY`Y0j8>%Kdma~sL*g68s*&p}#z+!~zP(Hc;#<pjHGP?HX1t$y
ziGp3X%|XwqpgERT=L3uB3;wu+HxoRPFN5^@lq9vYF33CJ-JDCK7(-HIUw<iSEpKj6
z2UgXC7o?z}2EJ^vNI)Z*A`4+7n04tv7HEa~e=yd8rqu<S5Y4S)^Fxd>=Qa#w{e82l
zgll={k)xKaElArIW^HF{-|M+)kVvFnhG~vAkVv)#L@vRl@bb#Gw)kWJ@COJzD~N%w
zfYn(FpIB%#Lmb*F*LAOKjKM|;ze&Rm6dG!)Y^<FfcIV$97W}CCgK|i|zViH}?`HFP
zFUBGAq9~2}VXW63+z*DUXyU)bolV>tkmEi6!I67a=tz)}uvK+~2YAL6oos9~aN@Rl
z^4>Dfd<u3W_}V3mU2h|empsaI)C>GuFM!7%YJDy0*-e(X$OAq7eQtt#u{rA01&lAq
z|Lv^KN9zyA->y3X`v3Gdh`*hsEU&60EUGUes3NK_svs{c!NkJM(8R#P$i@f^^1tCS
zdmQNyejonNc~wCg7z70X;`jW&2i|Xk#ji1|6TO>>A+3ppF|ECw5$%61w2Vv~boRDp
z0A94gixCQP;;>Ly|HXopln_z+t^NNi5MaO8AwGkt-wM)RLemKV02=AP0=T&2`w0L*
z03iAMmF{}Sy5QNUD=T@=o*TPv2In>vKvE#Esq3tShGPV1)g)A_XKBM2Uo5WG4fztw
z@<CXL+J?ZW#Zuz$&w6{;y<E(DKhs;9X(nktPN%fhT;I7}|FXPpI!?2_t~<(fb3e}c
zo})g<O<*21l*h<8kw7#hAu6-m7^_L%O-67PRkEflkjfmh`yUV`_l4mS?BwdhW7PD_
zQAB6easFbftFNxn(7~!XBKl3qBdUJN8z{xej=QXZ3B48e%VX>}#@<N`67&_CR#2r4
zKIjzcqHGh5ZO{r?FM&GQGmV7^L9OAaC4;e4wLp5C1Rp(LTfo`EO>Dp8lr^7Lu8_v?
zyMB&@Ch&1gouAiMM?EBsO5^a)l0lhif!Z?7JrssxM&xtxQgH|j$j>LCbrytqBHR|#
z5)d}GLcJ#~Ao^Asq->$YufT)qeLY_(?S;BUVMD>f&Wr1PFE9uMu2^bwaI%}JH~DF`
z>T*pDJ{;8_HsKcT$8SM6aX3gtlLatpnUK;@TT+hhYAs{wWnMLVf8Y1MFaD^#`l4uy
z<(c_AIUzUBPTu7LW9419L@tqpI|F5^vD8>=9f;o(YJ_7trw>MMZsI8Rj?TrYuYT-#
zIJjNy5<}|C8@)(^aq#V2akA4J1S+G<4*B|`A!LIy&H+}0ih9UHgrB|)CpX&&a5)&*
z)9lw+CmhEWNOX4$q3b*?*KTgQ$D+sezT*IQGqU~!+iUa=(Ls{0gX-m@%6-rgw#@-<
z!Gbz#L|{sAA$-yznwSWv;dOh<PITQ7=yboIF>~m0klH2Y->bKi9w1TAaTD7>>Er>%
zBOY-vYcM3l7lvX9-}h;u9KT_&ruf9r4Mp#a)@&e--S`+Wjh%APJm{hwuwc)Ti(;@m
zw;L3pb1$}mpE2Ob!TU-C{j5%Y3j1kjH+Q3lT{T=1j{>kqOUz&#G|x)6Y1a;6at92P
z%<l4IG42tY!Z+~tlNH#&3W~xu{~9kvekFumZ|d~Mwa7DH!Epo2Og&1Snt0L4wnX^(
zC$eWgyKCXbziwuHoZg;o1^Nd1i>#w7beN^0t?)moStwr~3<EMA8F-nRl9J@^(H{)R
zggMu#?lYT@v=JYf33&^(@~Ot$-35d&O;FyFpLSFSfqCIl_f=Tj;nEf2ur>2D@p(y=
z>b`eLqr}?iKk)-6;6oEWi4p|j5~*#S+^>$)uGMXRIMCS4^e$Z@5e!+i@u|c+=(Y~s
zqlkP%tS@bid>I_^HECQNKX)QZhFI5AIELmZ&t@+0FPOAM?%7m4fO|T<>Xi)mh{Ip7
z3qbH2puah}%fzDe<W2F-NwF-3jGKv;foh=iZO<dL9}HZnW@&z0R_N9-_CE<LeaOo?
z^&KO1NZM!PxRT2AyIPoP+2dlGoDqh_wt~9c!&%7Tf9kq@ipb6=p2jJPE6GdToO}65
z*8`Q7);Bh3ozT60WfsEnwivzjs$=ZeDsBuxBhk>ei+pPk`P%W}vRY=!hzkwg;9JK~
zln}VXLTCf~`SJ3Ew3r_abrstTAq4HItN;-+Pa}8(h37`QP7ruA?aI1Hc(>{z=nOMJ
zX$1IQO#a&EkXz7Tw=beAwxT+<a<<iOKiPCUV7h_1dwV}qp1YnaYCMXWQ}?Bz@*<@)
zTMC+&qg&R@kX_L{gRb2}wXtoGUF+&@DLuL5^clFwS^?8uU?7gaG--D;gOicT%DEP+
zejI<sSIdppOC#41@goIGx=014kObSdM{*NMN+H(2;_K{W>mN%81&rf1t)lf|9pM;y
z($?D3W90cD#=6h-I~>6RuiWk4xM&NC-)JjqeB%YbHnNp_|Jp`-ymgt#nlR2}-<2#i
z@m7qLc$6M<7V8hPv#yZdAtT5ZBUZI}qp{c-I!`m};H#a?Y3hE05Wj-6MqvZ<uo9jU
zVYuarJ<0-Eygv@tJhZOl-yGdGrUc&NH<xesT>u@__-!aje!mWVZ}U*_(((&pU7!SK
z=yf@_4m$vw&)%uIKItZ(#Azh|G1BP0YFr^51}SA<Z=XMFxZ5B<On+&W{o9kEr}6e4
zndVW8SGywKu&D3jE5GwSBzGqa<38kYv_vj?LEq|hAv@3N=rt52ndom1C`+=4qhdCv
zrTi%0#KABF;1)fL!?kLodzcsuG(0~d`_HNq*i_~amF?lMGrqBX<v{D#GYyw}TCS6Q
zYmb+zNZ+r_Bz22uTC92T53l(MOW~G3S+_Y{Nw`vX8K?7kP8M}912ev|{g;7;7F}}j
z8e%getKRU9I~?3YA-<unVhR22@aK(GTSms&fvwlpc=Kn0?G`JZWcMWHeMB(=GV`!7
zJrRy(J%00~rKYe(hRajt;he_l*!1tXAv2Ycc;-Dte6K8Vz}$6kiB%UIF<^%WIWY<T
z@i}Sawxe>-`ND0=pm~SX=IV!?!|IT~#RUKSy?1z29B$Moo$eD3dFBjYv`~9<@x_d{
zuGkY&B2Oj}JNKwni<$n4_3!<3^s>Cnfi?e*T1rxs!145EEv+XO^8B4-YWrO!t1Nbs
z6I$vXxSleafLwzIF9$M{X!5?UGU$}2sVgzIGZas^fo=Kh6X(X{_F!&4hDS!H_{M?+
z?XC+~FCw49_O#|u1|e^@lOOYNNu^F(y-h~-t%k9bY*+*yiKO|-lk}jy!s0p0&~o{l
zbg0?uy1d(A!u7xhgzqGs_xkKa3&)1YSJS6$@}l=>^mxm)Nv4>-&EwCufK{)s$2OUx
z`T-67uqfg@I)d*al^8@$of4v-*Vkmv4`U#-@U8#_Yi$y<Ze9N*d#K^_^gom2X2FG~
zN`lu+mG4z)b+p}k2LqQJ#C<=Qo9_w&exq>dFYs{wEI3K36KnSsT*Ja;^aG?jRJO7e
zCfE9@``O5glXNE}LsS2(&{7TGthC!SkSg~G8D$2>gmROpQ=mvCMV$D$?vt%SQGPH(
ztdKkTq6a5&_jYw2BsW)a_Vxu|PtQCwq8tX1_QV~cJmQKA@h$IybRapSRX{MWt3J8r
z$TkXsUem-Y$V%JZwK#@&0@xJ5w@U0aw7#Kr)jV5Q$sd|A`?mLP?L#>+rOM}F!M7XN
zS*nc4JK9ft^xTv@Z<Ffr2uYxAezvJBleF9>NTFD?_6Z3eo8zG4_(|0p<@T)8TFUP}
z4ZttP9ydEdzp-SMbH=jaJp4FfM;fO!Ng@6_OeV6Kr`^-zUOahFMoE8^DtFpyE%AiY
zsDx*m2D|x3laj(={0v?%lY>DGvQ_CD2u!uK$LB}IRrXkHL)j+HKcjZ=m<+6cvjaM=
z3H81mx`uU2JfJiYM<GCCB7%R{;HnQlH9F4_yZca#VR6q}yh$O2u&R2*+pZlHUZ2^*
z%=Wr_U#~R$qsF+)j6E7l%R2ADJ*_=h5pDA;$G?ahvrSP&<U^M(2-0jz_(7&BH-Ucm
z4e6H)owJ(3`Cb?4FN8nzw{%resBsit8$-R8)%OW`I@ouH8~TGh-k^aKlI--<r64JG
z_;?use(o1M<jJ*1swnB>bT8L{D3irh+dXF4Kk%YVfJ}GaF3+O9vl--Y_glZAh}<z|
zcQ-gXNR&3)ulbgg$F@XFyOgAV$V&Y)S};AOGDHzv)kBE#R>6s;aw%|{n>x=g>3Hqi
z;x5t{SE*_4wc7PT8<b*=)4Oa5EW;^oc)O}hPu5s#3a)QGB*5I=y`LqFue{+B67j4^
zL{9@CFqrO_!H!?(zFJ?`UU!?Jo4O`GeRNhC&*7#-AsTuCVB$j`9b%AZayfbH;?nh~
zF$#zn#E(;##fhS7^>pt=$2_KS<8Al}m)?<3dZArH=3s!wif9ql)RI#T{a%}~*^}$e
zYUMXSI(_Vm+ffX3&zs*hS@?C&hb%W$QB`a&Q4iszQSe_n<788UJvgA{!)g;{ZY@Iy
zHyb0ksU#YR)XlK&B^H78?g@GwTF0Z9^?1qbOf0P22eL?E^KvsYDq>~#@j#RG1%}zX
z?pf(6_!a;Vp4WjA4Z~;b2Nc=ScU-0bcBK5tN6q49T_y4&0^=teUoLyC0F)v+d6?<7
zb+>5|8jwmJyx`@hxw)1m_2D61@POW{orMT5jqP}sS#h(%IVc2+h>l)>!zjQI+t`D8
zjRus(HC(1BP`d^8>ISy?1_&XCGH@jn^E~U>Ffu%jGZ#yA4@#zt_FIILYJ#>~LGhwE
z5?J-)PFog&QU=Cp)oUpuE;WC06)`QEz(~GWhp6~~!j_HA$qP-*&uJ&yo~kr=ZVMU^
z!p6I34;2`KPPP}+YcUZZOy*PncIJP+=CP^hu=A}n;5USs3A;5kK1!1#7;8y4PQs7N
z*Z1`_b{^;B1kuF>fa-|@dasu?nqD9=jZa6xtfO9L4Mu7D-_*_&9W{c(-EF28Zx(0$
zk(HVM{AXjxoO^^*Nv~_Ys3y!&SVnHcg|<H4a|ulymA9ek<0VOg)M4PW!PGwbBa2jK
zLmpX@_3Q>g7KjM#u?P^x(or?4%LD+%jqOz-z4Z<YyU~g?57>MYFOP`t;cJ$%_XmBa
z*LQ9FF`@%*3VVI66!Fldtx^%=2vnZueF0K>xDIw=N^eu$>mjr>zqW-sq~<^zp>%h>
zbPfwI(HkD9EYem*J0b$Gl!TLa0`1OwGc29PH?t*9Tqx*MP0{8`Je2UdbRbInrOR8U
z(5FK7ko;F+nyseWy>E0bzV$HB(+qW<{J1xH!Z}r?4NpPrG&XwgLJRd1XC4@Jr}$_@
zOY&~v1YY`hxjiI^wBHyYSw{5iL$L9wi3fzj_|7UyI}mogvxAam^Hx&yU@H;-N?x#H
zYI$(Nk9uf?XB<}!C4%;Oy><AYx1+DWf;#)s0+RbEp6tW8an*I^pY0YdHkqA#m~Zq7
zC~pSlzc`l%c!ewpKRQuYBc)KrN%V8+*Q(}Y)*Tk4O~XTG$5!da2Ov7Wi`@Zs=buml
zuk;G>#!B#gFSS?m%DS%0|6*NBV;N0B&uj;b0nLR8pK~59{g9M{JI3h`_(wu;IgufT
zbY2*JqC5kg;x0_zP*CcW%`HX-`||JG2O<?%5^WYlG&oMr0(glxYcR2N-j24{<>BEd
z9<#r+mT+Bvu2L;!Fc@H=sN`h+8j%bq-%iF3EpV`ji+7+XhQI)x82+JoI7N%7VqO+E
zhe^%CbIzW=y^8C#ecTsjb`aq+<`ZI*z;H)TtSXhJHgY75Zg=0o{nJwbUWELg?WUGW
zgtE%807Fe~18nbdNM~kvYoNY=setj@4rG!JXf{E^$UHtS+81B+#ywp*fW!Fxopw5|
zL_E&)Wa}cdhv_@u1_;tUubsAk3wZn35cD49ES9o=RM^z9F&&MB%^5#oN{Y=eeVlPl
zIBP_Xp38io)6@St_WSXs^fGSt)y^Ese3M$aJBsHkk$jV_KTISH4My!8ik(X7M*RCs
z!pc0{7FGz6nI!0q=KX2VUQ3zvXe+K5r9i}g>uqeLB%&uxm?bEFVk@G@iO(&I+nEJO
zQvL@j;7%t!w#-b3?DeB9M!xd)l@(SJE!8Ns=A1G#x9O(Bub5ytV`Zwdd3XzHWCb}N
z<~t@{k|KIz&gotq<gyeSI~soA_pqV6(xy5=<z&nu2W)o`9(&Z|03jI{=*E0GO|zzf
zJMC&Vzs#~mk!&w%7!bW(P1~ph2|Q!T?9Scb7sx@j;6Y0jS)4h;xSYeZV2Le3e^gTX
z{>K~^WfGR#XTXNGQA=wZ%MxO|G4rO8oMdZcdVp?gJiIVke0h<ijimHUw0wrk-MK=F
zEYS+Qj8eVUY|ca!t{?6dvelE;5KvPvM#72-b}L_@E%dkuVCe%SZ4`jKm{T;FihF?C
z0qCtU1_OuXm?$%^?=#`X2tM~LQc+IIIXd*}Ly2}K69zweTZG~K!<eD)nhr8lUtUU9
zm+NwBN5!%Py5!QoP-k&T+$1j0;KVpRiym+&niS0J*KZUg&l21yAp60`>J{Yk3wgA{
z!Eakd@#%u`tJgo7iXjqz5Soz{$IPsci}U3`vr0OX6)c^VgLj6yyv!2Eq+Z>Vx0nJd
zn|R8NJxrF=$#{cyjT>awCK-~ONZCljJMcDyJtUc&eH9c>v%U=sEHzzS_wS~Q3HHLs
zsKt4$-}FVAGb<3ST|gD*icB(mFk6YErc+Mp-ftR91X{FA{;K%$+`mF5^}ird393TP
zfkqHzfG*pyXeI>T9g<6c&uw7hhf^%~gxEgj)Ie?@tE^(F*fv{tUw!h}oZEyEWmXPh
zU>OQG<e66fq_ve^e}cNtB3nq?#3SaOtII7dIxTG`g1USP_Wu0r3cLeXISM!tQ3i72
zeLN2PW;V{edn;qVLTOYQ3?`9jdH@a}A)9;uCW7b50lJJjZWEb+XbWrv;vUOPL~tQ3
z3is-BgV05-<jHqSpIYhc*Sjd^{A^RJq4kVK?$2J??x}pQ_~!8t7vJm0FNGT9nCmWX
z*MpNAlX&@o_b`|GZ`YpOj`m(yx<k74PZ+sJ4i6ETukKNzHZ%7#)Y*jl&O|QYRq)9>
zX^<vNV6l$!auSkbLY>j5S>^Sf3d3)-l??oJ_1VP5VRjPJU2iLO{&?kaVP9|FP_Sl&
zK(a*P<fH@DFkfeJ*vBjCxOwA$2eo*LG8cUz)byxHV(T9XRqqQ{=MXN$RKbL<VuBVP
zeZV$yp-SLNLPai=?eq^;1gMGT_}#QxD%ay!e)8LH>q8{{<0-CP6QOp&@MC$YCL$+s
z+_o6i{+S;%KwL{2HVp{yw1^qkOb^n<NX*_Jgd|9LmM?;56+CBQ9kOL4{T44J&6R^0
zZ!9~PLp8smpM7h68Je-%QE343{Rp$T@a)b<?6x4n&{nNX;fL&FvgF1|BZ2fXz_LZf
zI9oL}lH{YOXH-s4q$mN37eND?7r`21C2Oxi6^oz0+xd==oE4CMSU(Fj$H6ZSA{eW;
z*3J0=RKtjF)z(?RMUms%(kLNYpee2tra#Mb_ct1az^Ss-t~7wBFbfDUhutKFdtO%p
ziJ~e}>pL{n^mV>8R92{cd+F`OQ;zS<+SbGrqLahdq%k8BBH19QfB*TK&fPR5hG2QP
zj=VtAR~691fn8yu<D}HWv~blVH}m*t8f+*eTlY^;1Xyy1N4X3Lr+;ZD=~7S6Ja{5%
zTp20!5toOx+(``ucmRzYD{Xf~JWH5$1{t{syCMo!tsmyVnr`tQxizX5I0G7`6aevW
zSvo>{)ls8ZU8RyG@a3JFh;dInqz32^mq-R7nYq=XR4Iaojs3Y;TYk&9+zJZigt!dt
z+v6ajyj@05ZL770876%l9{>F5?6Bl!d585(kRZ0Ps3ZW;NBu>Mf@m2plN)!2M30Uo
zWWY~a2KuLj*)z%+_xovEpcg<UnY99>f)8?Hp<|czt%A&E(boN|G!P0#EOha0lS>Wi
zKR}NM2~{lHO3EK<^E%e}BlxJsne^8h8^$3E5@k0QL7=q~m4u~Vvb50GLr<c_7vl`R
zHt1L$$*qBa9?xcV1zfG409lzZboMA=So8voa-T*y&b6#^g$5>{bp(82ln(GES4q|J
zBn-!9I%WYO$P2?2-)5Xa$)jz#Ej0^sPewa#_-6E+bU2d#OxHGg&Kfb8E)IaEb)f=v
z`-cti14G(hG8wRF-AD_N>u_K|1_lGQh$6d+q8Su7!AvM|2pqDqKHgsrenKwl>Y}29
zW~SwB@zAKaZxye7?cOZzcF1<d@<`|e)!6kA;iq&y?0Gv?i#aVgL3d%B_z%2U?^1z{
zeH13bpK-`~8KO$|TkpmhpsI@mkKP&^$x;ELRN82iy%PbF+m&ao)DxTTxh)K!pv?r(
z9eSGld+;~%bel;8VmRhA@p9%Sh_*-^{&|}jM&{m(R@*ESj%NdGYEXyhk`89>g?f7=
z4WS|P*-Rk%dqJc;h|B_e&?9-31O<2r7KTk|Yk(CRBP%?CaR3n__?6%RMEB6HnlWO9
zzwxYSoxoKyUvi2A)t|z&%9=6*AjpI;c<X43fLa5A&V@{$3dkHJ-NQ1W*ln!i&Kgo@
z6h_MkqR8``5r=2|^7v^JTzpntnCE(C6ooQIcTg8&dK`;Tnqy_I2BHDta~wCnF8`yd
zK?>_gj|QkMjpjij0RK!P%uGFyG{^%f)|8SXY)mop3d6E_*jaiyYNwXX)Y1(t+}{0%
z9ola_t55dgN(95)%=bc<RULCyd%&_<`*Io0%Y!dXCBYfDK?k5gRRU0(B>i#sz~|JM
zf73J7%q3No?Ilr|fxVS>w4#f2NT)O(!<Nmifrc~~HUL^U=fv(n;im)z0Kog>6#A+-
zRR*C(&m@G2B=TS|&D*2c&d<aCzCgMVb^r?E&d}@%Omd03J8o8J>Y2)Z2Hl@9Q3#vR
zm~m!8fF|^(`b_3QGqoU;4c$#+XQ!SchCmlSCC0=_e6&tNA7_Ey@Ez3@(Z)*GlL@^^
zm>3E$z+%*Uc%;-RzSb{_yIru>d#2=rbod}<Xd>4=fD03*Xb&C2k%=Gx0SGJcmpP-q
zCR8LxDiTFYH|$xW2K&;Cmo<#v+8!idMXlX1WaAbOL8;q@P7yJUD6}qg;;GLrLwtv0
z`CBz63MQIw%O_PpP8vlMH5`3(c?Xy@CuTe|_X~6iB&zcKRNQT-rw0(HwnE39vlDMn
z>BJB!zHz6bf%g`@0jPv*?IC^7yI<mK{j;&gv_4R!hK4~I1wU@^)y$}qO6qP8wMOq!
z7CdIME~F%d5vUGjdPNm|!rEIX6vP}3m-yTMGBV+DnlAXSU~`w3$tN=C6c6;c1*!<<
zag8c)|4b)#DXC&>z#|}UT4^xsMBEeDmaPaNGkz3c{CsPIF7RNXKD-Fbvu676g<iWV
z(}8)t%09N7CY2V+LTj8=X{(+KosXaK^q)KPfRVEJr=d!q52CI3CHjmmgWR_{2y#x>
zir@EKs+2Oi&LIe6fT*EZn`~#S+6vvtJO+SZK~@EGC^G0K!u`sl6H|{?A>d_GC*Lh$
zq0LJ}Hdr%bfQF%AcpC{tX&nzUquK7iqtbQFgY$VgZ(pVB5zWdUS_D6ajhl>AKCb1-
z({W2wp-z2f;5E&STwi-qcvIRV;jOFh)p}Rrj!^(m$mg7NHN+`R9chl?<4NQs+_8)d
z6w6IC_Tb|-)*&ch@<q>L_!>EhKoJoteqW*D&tv|$NsKY5HGFYnI8P79zA`22MIjPr
zWAVCCqv#xS?Jp>DZ_g>W<5F87e(EW1*hp?5kC-_b?XzGqQO&(s01Y1(Si(0S8+f*L
z${x6eQQ=_xxO?JKH5^-LFEmPxddT{7piBY)^s~_?kp%8Of`#w5!lH-W;g#0D4ik6N
zI7E)qQ!?Wo2F{n}Q?lb;2DXW3mqyw2C_38GYsvhS&>mQ@x>U<u%Sw%B#<Fa(cI#AR
z1EI8NDt|?-yW$}47>)TtwgJrJLiV^TKg8LisN2K?LlqG^5cFk27mrEQswg+C(<yu{
zn(XY4K1#N`RtS%c7`vt`-18GPBnOfW3Gx1ow8e_nbrOf6QO_T?@IxrWH=b<-zHL)X
zu%LC2Z6rMaMSd)C>D<jT7buL@PkgcvUy71yE)31j$JWIStIUl{;B6-r-)DfT_X_pD
zp;qcI81Ci{MtV9v9F89)Rgo<W@2=vb<j1mEWoGV{3JMHE<w6pt24Ul*X<@JDXG<u+
z-nu)D`^&x)r^GtEdoqRPv6;_>a{w@+iJ?KYLk9hvZq9`{r4=Jghq{Q52@1#ny`Z#<
z7!Du&w|SU{my!67)t!~8<HDxl^7Wm^`|fe(xTeXkneAgD4(|eF_<Om$E4Kc^1BJK<
z$00OHC2Y-yi!>J<ir$U<^#7{pZPbSQlt&ZP&|-S3o>RF5h82p36Y#(lDGq}=lX$MX
zPe=_>-eV#5Mo}CvI6Fxfcq)Yx%xt%`1UZvS@pMGJ_&^=8b}B6t7VFO7g3EgAEW?U&
z0D&NEgTvoxJf&E^<J(2v5{mLZMf;4R+xY57zN%b%L5>!uKyVP_Ky!2d<nwX+KEB90
z*p&%Z_+5FbYkr}mvF8t_b)0SvR0MUa-Jz_KXkp=g{A@nK20S0CfT!;V;q<|rzy@n!
ziE{#iUTq}}JFrhr$Q!%DBggNBbqHke--Dxwc&25m$o#W~TPxL0YL(4UHi-Jl;u6jF
z8FM>+GUclIdeZQ9j68A-9w>?py31|O$N#LWCv_Is`~-yg)5M{`9kwNxS-23EDPkPb
z^zaEP+zqz~D#PoyskG3%hu(>n`M{>6qY)eWKYhJ(bfwF-J{-G)j%{{q+vwO%R&3k0
z&5mt59otFAw(aDX{hjaLv(Fy)-nqsa<NfEE_0}3yW7VAVnNJk~(a)sD%8*m_=yY}E
zd0#k{KQMZ{JJRb=mtlT;9lS3{$5{9%Mc@p|brxiiKG<~3Tmgo&eJ@)t;mxBqfwrIK
z1V@(}l;A7gw||SER45|0b+M_Wrb7@u_ywfgnC#cr^GtR$JfFyK$@JJ1C^AOlv#w!A
z<)8scG(j}s7k!{l86``PB-A84kBZ=<tG!GEx&_;)jFv2j4^`7*Qo370+mrLrA84s)
zB<DzAvm*C!+;y;(#Gb7@<1HzxyAS$pW`@|LUiQE``+gzYhtW>HSo9GU5ZUj<f<6sG
zPn(f%Wh<Rxg?3u!MY9b`8_O9w>0(v-4!3f{y5gaZDD#Tk5pe+~(PCvEKZk|@w$@d8
zvpMiFO`W+5teRmk45G#Ddz^=Wi&DuOSAnuP@}^v`ipq-~v(1{r7B^+Deh6BONe$fr
z1`6Noc&$A1S{MbXjqQL4I^Xaj*ir|GL$e(A1(=JX^8Tv)I2rv#sjZ{X<DZ(rn&?wk
zOlmJ#U(q22pX7>*q^@`TCs<DSM`UP>@B*DP8>DQv`9jyy#6x-Wr>WR+SPR|<QQJJK
z;jb^^0O4O;0Jc!0OY%~IW&9GEx5-b`MLebSCMk)SzU!eDl+t8nbON%TWewZwHGDjb
zED3>pJGYOP(h5K^9Wyo>w-RxT3fNo|7=$PbY%DJcL%wrZ;%N6~g)RC<YpH$4a@YNX
zL(FL1ejCm0v9ax<=1>^gAKo~qai=uFP0}w?JIdO(&$sXA$uOdO--p^r>?($+6tp{9
zcpfcFO+EEx&z+3E)N7M#>Qb0x7<X}hlI7My+4cMOSb}5RR1qyZU#~3;j3+6y2~Gpb
zozN^l=F~xC8-x517|3^ccsI2+SBzl1Qk*|!SZGEOQ=AOLwbOwwqyV$r`C<~l3k>90
zvHR<{-ez-)u6Do|c+sA6i!BgAq{#rT%BX48U=ETEA!75USJqmb>T5@U!e^jd*>{L?
zebA~DFFUV*&$d-Im5y5piKtSN<;fb_^jRN`cx6{KSb9I{b2xH`D2ZNfnNZ%=osaW{
z*S6nc&CxkF=9(Er#q9-OHIDdXHUmVE3IC8nLDg*iSmdAM*WR5K4U|<zTC8jko|nn2
z-W;qmAMl|U=x&6_3O~|d#A<Y0mQdpxyc%RKePz01FYZ8*bsWxDW>vdN&5WW?Poo9!
z@iKT|(4D&>py$v$4KkDRo1h4S&~vid+m3=R+}R5bZBmC+B7X>b2S{PZtKFmwyZkH$
z3B)I~O~F^kgz8qGci&>@f0~E4zE)S3>YHWUES7LS&VtKm05#kRC#>RIhCj;3&oWq_
zFx^M&<!TbiIo&S%crDZT)NZz+)_u!?$@!)632{KF6`#|B7+r3dcMS=l;q02UCHCQ?
zE$?tt^r`aFww~^O<~=j>ej(EU<HPLY#(bVewS=gEH^}Su13(JPHxL=-0mGOn=T7!b
z#x{%4K28EDY3i3Dia%$EJC(AD@zF2|zZPt?14@cqH1Tz?Jx3k2P>m1M>uTq?TVyS8
zwLP8mct#EY8NYw$IF5DwULroFq8RGg2Qx)}!fX|_-LrE@;2=hPEIZaz7dXh8zyjJu
z#_YE^Q~@0E72spvLNYt_8=;+>REwp!^Tr5Ala{91NEMv0y&M+lw-ieE>GtG5l5IF;
zk*upEzc|NelMD(|^n+49>T3jGGb3S97#we=|5U)noxO0I;&;~9ik;xBl^TcjLl#<`
zz`V!p9@tQD6<nasAx=q;cXH3s@&tI()P~PY=E`%e*la~xTEmsQXmzz6nZ4Dkk_y1F
zUous5v+{b7U6^}gg<F-CW+>!E=BqsQ`E(g;AM^0Y&=(!yuPwIn3>k4?iN*I;INh>*
z!|myv0SrW`lYcT!d@)TPy=IVo`9dyrQxiR8g0(gDM3k7y6Bn)vL~!%#o)?RHI+7YI
zc@}NL!+;kTUWvQMuhBeQy~$9MW-VtKMxsGSiU&?bXcUPa_DaPm%RQ<a%qFJ%hSw*M
zetc>neo8#aavO(M<9ksywNn*Lc6&I8NH;h4pWTjZ;;G@qK65c3r3F24f|Ss745EDL
zQS1l~qm%E){h}ZfeJf=cCEl&4o3t07nsKr&>gPRXkQa+PNq7!<w2k%|2ro}X`gE^J
z(p2!8Pgk5Z7wu_L>}f+al}w?9jvWi3Lha^c8aowHx^8aI5Mo&Wg?_sCa^-;*`o7AD
zJ1YcL`WU}3A2?gRtSNpfwl{+=RjIDp-C}Pz?#fI(eEDM-hkn}73!%vmgvN9ZEZHe4
z=>^K}q?u6l_nQ>&M&K&FciR-GA=40GmF6>Icvq3%5#<E1`qK%{Nv>+lJYW>lVF?Yp
zEFG&JY#Q>dp{!M3p)MZ`?KdWhwAtVpRwG)xcy0#slU77o=JS}6$;_+KH52wDsfxeM
zem`@@UGNZ*bODP^@>4qV0$B+a3*mE9tA$iUMo%PnFs3i(5X&Lg)bK;mZg6#en0HZX
zu1w%`vVR1MR*8Yv;GJVLJ14o<s;bewv3Ut*uTXUt7v;=FhlSGM0@RTEcO&(B({A$7
zw3)(&UDu4Gkj3u3XYEE8R7mkC<_CHPpl^2OWv><jdtyD~Tx(Y)+C3Nxu(lZxQ<|}s
zoIEm0vb-#PxZ({OO*WQS*fPrW!9hCi9+8Ui7kCL?4|i}&AmZZ|wqVZbBlMg=(zZa_
z_QwfH3!BVf#&nd{fU-Z<#;}L9_(=!6Gz;(XGV&(Q(gpMZvfAmUY@Yu0=|<1Q?7Daz
z##YCN#xFc;R_NJ`-gVPzT$?mEd-AB1%YpY#YnTtF!3ehbHyKR}&02R$mCEDUDvEIY
zzU$n~q)wi7x1Vx$CtysI5f@Me&ugfSm={Yih_fA6bK#4hZ_Q;RN^UC~2EhzN4~IUA
zmpLm_MxE3%`aG+nrIaNDmOmF=Kvc+i`#)T`h!<fmbn0I{m~I&+fS8{;kkpC2;|xCk
zjFh_>Pt|MNwO@pPX;c#>ZScF!Idto)J_MzO4Yi+V5zmsNkt|mWs=XPpFG&?_$zwI8
z?P{yG^fWf11S%jXUREDkQD|B_<Jsv0f$Z!b_eHyi`O|4C)8_0$%nHdA<bU-gvLX78
z8lPwg?@;^Aw!AgT?0akhIM-nEowf@)K2Upy=@21&@cQ2vh8d(5t2(1jOo|daF3><E
zUl!(r_AP2i2QAMyP^@<cfjE)biMLfVGiP<DYMI7<;jW&(_+?*9_2h5)SCbO?h(um>
z8fbrPRMp*|o@yAf24eWx7zD2}E*oMqaSXU|Q`^j)#nXfP!DE7<S3YfoixOd&{UG_|
zt;*>>S-Cf|YbPSF`ugQJ*cmP6g{vEYE*6iCFIJ+0=-UXx;_(1-1fi~;{kZc6*el^6
zsTPRJ^^_yll<V^-CAty0aR^kNdsCNT9G1l<ZanHL4BG{nfd#qLCJSK1`HGdZB$=Bd
zAnDQ99RRm{j4)SGJluwpV}uuZS$VdeB(L2Lr$XI9{|vRwFfP#Pp5_>7S)tTL3p{yl
z=%xI$I^=#vByGlNz>!cbqy`Od<Tr`Eq0!Rd5B{Z5W?x&Gr>AQkD@;zNKUY<ttKrBJ
z40z(H!qcpn(wPue*e+c10OY!G7XP~o$xCis&Xa|Zy>FVDeTVDarCQ~u$Wz6t7`{Lq
z)=C<a4PZkK6yl!2I;OvtAh^IpS1|ogLgTIr&$ZWmMZkEDE?0P?7uK6{hLE>w?+Tfi
z!`{D$QT7&wSK+TsLv(8$#Bk%mx!GiOMQsZ%O5qNeD8%8AIFPlaW`o8Rx;#<K>yImV
zQ3yy4yJDNo2rnM1uNAv#X6Q0|1oDGp`sKU#GWT5^k5=U?HbqlHjXcy5H#67ECPecm
z!0h~@gL4G4n&KSa-%pBzo3sLclZiZ!WfD#O&{}SC#n5QaQmB^jjVAWi+Fs?Dwa|sA
zOnZYQzRJ=Y^syy@n$IvaAEmaEl@or;+wW@&wOvjsfAIPJ)kdG-W5XLF0`f-hcl$(2
zUezuDHR2;A8k6x8TFhMYNTy(LrMc^5<SfdH!k<XfC!@Xg?8BGu`w~e4aTmBFgkJ9q
zXp9u{-m2a_2l$JhDOn4N3gEHv(bO#AsSw=vEUP+Q<YRkG^~~qdw$Ck<v<G2stX`st
zYsgqPp2V)XO<13Tu%P)IA_Tj2J*s$LYe(uxsBpn=IA2$(x#LPypC^HB>MS!F1N6xE
z)7#X2aS!my!awR3%7`UuP|HSRZj3ZI+m#QV5Q?BFWapsfW>QY~)GxGJ{!nv=S<Nbz
z349l}#?D;%Nf6^?T&CQC7QO>Ck>*eL3g;V%u_VHSgr_qR{*wE~ZP2Kj)7%8$GEA|v
zT0Fe+cnxjnkcW=u(qGN-o3=aGc;0BLA41Ky%0e>8*OA7vd#OVpq>-|lIO<%graD6o
zTsmAk#NdZKTc89Deg)qqnSae15c>@dFX8x|>CTBqK#FQ1w5rFf^ukguXsJSSFMy+5
zszgnxI{R21qjidrKV(E4A$p7xNxj=-%VusZo?m6)0VG~*MXS8h9!NA#r&<h-d<JF@
z-}|ZAs}WzB1<Yf7QlC((W91D4BiE~n4PHh@qCTuoj_#6qP05+4K!9%^gx|H3Al{^E
zsglepaIq}F7rL~8+6Za)(V#nzn$7~gJBGCDd~yO6GSMIcz1BTH2OkyGQ4olai_dQF
z`Zyb89+j7MhA1n{iQV@>tFG)AovLYJXz4E08FHGCet9Op<bC6yBlld)!Cb^*CXr2S
z-iRXheIZ4eCL?D>TWaUM#t3OB0m*wD&K3x7<4wf-22IzN{^ABZ%Md+SP!g`!?gwa~
zEC_OoJkiECF0P9-rBeQeqD-edxbFeeEVh7@-cjq`bJ7--B%48td)pBe!;#AkjrBHI
zksoYPvJICVw#s%ksG*_cULI$s<b6Qv<MZws$!sjEWMtCg;y1<`C<xZ0wzmHK_pqe>
zP^K(VNPS{PyT?N1EvU-Uo|-2bUiaa%Ed?cUJ5Vooyc@(x2-m+qL3OReaLrkK55Cyc
zKoTN9g{uVh{J$9CpPzD4kWeG8&5}VhKwo_9|BKL#_63y@Q4*k$_$f+fXyah?bw$I!
zsQrnv?UQBFC=gp4<uz=0K#&7_KiG-=2`C^lvXCIa^!fQAJ74&WKkd-Hqb2}#H&uHh
z8AgJcq$THrc;+h=zsm_((!N1xs^u+Qf#plBD6!$l-Z&E&9sd|cH(LO#w_2(SsqU68
z34uCay~KPPs|Ycr?SE9+LYWrF21L%tCIObt(Wf3vu3WaWc$iN_*F?RCt!O)8D&@1~
z#Z*V9G!Rwv1O0xT#UNdR(!4(_vr_86C(&NV=j)d27?|NV)z3=gE;rsfrnzs2Oacbf
z0u&cdAMAJ!#{xFC)w7be&|tO{xUY{6D5NA6s>YgW%WOkzAFa$xw%isQ8I0_|MXV?u
z!J%;bFV3-h)<hP>%~#1Sh;@ofAJ``wtU#{1F8a40P46*FwsdLy(INQ!{nExjk!i4j
zTD8W&5Gwc3gjpYBmLFzyC$Nfb>Q%+6{iQxgoPcTK(krAHfO=oz8tMsa`dg4ryeO8f
z^6e9j+)Z=48gL-JWRfg<gyX8ycr12{gsw<w?)5AriZf!cM-k@RHFpHi0jJWJv~dIG
zb+P((T#6w9gkK`n*F4?`A5HNY_tg0&)<h%!Dv2IkwD^m+cHKCit>`k9N@Yf##iku$
z-F+?%>i~T_4z-Dd2Adii$HO4?9jm;`mE3JQDVpkK&ZpBzK4_IvpqOEF$4*;hcL^Xp
zGbRx=S6z})iKtfWOBKc#17(9801XHE=jJOQbz>Gh&g#?!4^n=<P1nD8*C0AKJ0{{u
zl*;lhNHrww=6!>M_yqs2^_Xa6G9dlcs{r_FIr!fj4F2j@_|Ns|U}iF}?7^OBhM(;c
zJxn-wtVkB5kDBc=IG)<iNot84r?|M78JcQ`5igV$Cje={b;O@KTKawDS1d^$7A|fx
zO<X0~GNOd%62PT<{r%zP<F)GYWutrJ^<{m^<Ne~W^WybF|NORZ24-524+l<|U6J6o
z>0W*;;`cC(@K{huH8<qidRGl-e-s9&SSUK+8?{7qtOzl8x8Gxa(Qp)7*Kpoiwx$${
zQ-1iElQ94o|7Y$$IH{vWQdj+(Mb2<+JdfhM<moiTM{W?1*Zyt-?%8X@sd}vFI>3%b
zkaDgQ;=H<gqsHmMpFdfRg0F!Eq@as{VD*5zxHTIS#eD+#)$VlHW1!&B9_OMoGHcRm
zFcbQ=Z}Y}~qw(nv#=!Zj`lEL1W^fmjq7BDH?bKQM<kvjw^9O3(548u;LnT6$`U4Ra
zfG7k8BC<)o!_G0%X(olsL#~M0bggpUlMR;nVQg;VEKR`}={T)F$UMi_WUFL-$VT5%
z${Mn@kd}Y4$5eKDSO;YlZiYA%uZ;e{5}gra#p)2lx>zPs^{|rCao?1d@cm_b$@6)I
z?oq*{)lHYFI>CYVmMj8q5zRZ*<Z2c}prx{Tj>31d=W*P^-flwzxDz}x{8)zw7TBe1
z^%K=PY$<u%iKg&g6!f5xFKjXqQ%P4aPO%?W{w2FmKjM#OVWHr=D!!As*Uxz0=B;Bk
z93Rh-LfLwlT@FVt(~xU{E(bZJ9o|=qCN-hO^I+lCDBaGhzlFv;PjV5%_lnv#(CQcs
z!rQhg?olnv-|C(8Swq31aiDorcPnt(bxDMIrk2iWWgZ|Tf%I8qUZiT?-<(jtB&qhp
zDPF?+-3?qg3$x0c!Kr}O%k&QHI9$W99X^;Hf-j$+V*;{$4i97LcNE=-w|9NvXtB-0
z;e>qBNs(3J9X>;-iMCC#EZJv#aIHB9adP_-I!f-lrGu!)fZqy7NWQ4u;Be6!YafEW
zvlmy+E{-$Hl<o@FoSk-it|jZUr-@|n<*&iPgB+>ZrZcOS1_tF#>C8lfKWl#&XAJBu
zj%+PmB+B~JXq=cf>Gasp7p06NvlmozBD49UX)fF9E!Bn$6PmeLto>BilN_8zN8UT_
z%*Spos$(gjfF*?GI1vRX`H>=SW(V>afWQS{`PGA!2uy*aL<tG0rxW#sFjc@{)LIwR
zpaOb-$?1+4lt(TKms_lOYINncyu79<Vyzd&A8e}~AmsC_QD>ay2R-wrW)yfAepFWH
zTKb|}D5yJY<j9TdICK>8Q*gIG`dGRnfdMnBc(?z-{66(Z$dp-rPA`NXv1@VdZL`v3
z(m1`ISZLyRtG-@>G#+p#a0Q($kUNn-X2uk<ts979np>Lxk@y9^tUoHz`ls}h14<r%
zcKyKZGxa%8gQxOjCx67qAqHHB4j*3Iw9=wJJl0*pxvJS|YU7aKb)&Moiovv09$|e(
zMo~yolY`y+v+kN@;|2ZXaqtD6mU{0SYZ151OrJ6;Zj-A!n(m&%$*<PNA-{&ZDY(p`
zK=*gzp^WN{w34+vEnLNt5o=#0uKoHuC-~a_Ai;hu&Gh$9f~c~Fwo451UaHIN8+C)Q
zS=lN9i>u6PXi7U_5zzP6pInEN+Lzwpe+aO=a4kkou)U}-0M*ePrM+%OYsAroYU4Ip
z6`oFm4{Zu!(d1f{(_If&4`4ax<T|q6oQ}B%C(QZvI_62S-CXl@tDX}RRfRLFid`d)
zr<6?$Cu>&aP~Y3-5HDW(c>TMPaq5f%n;%Rd_7@L2p2=B_bYNnvALZX5hr;~xRW6sT
z6)#X=n8Z9zH5f9^t9}3;6SK;nJ)6>VWy;=4Je8HJ=h%HuFG^GhJN2KnY*J&*=3FX&
zQy;7%69z(qj#Wi(pi6joelNjJaMY!GA#`kXM#~-{&GnuUMc5>SK}8W|f;1>XjvFiU
z%*q_fva&bLYiX#W*j>ec-OUr6{t3~CMG`sW?Zu+d@=TSmZ{%TsileT6{R$c*(k1ch
znKzSVekg*6TY<>2?E&in{=D<t$Ri|3g%ZcYu{_o4hX?X+U#57-sv79ogwo?!7WMe_
zPl4345MD(nq#5rc90EanU?RY81Fumt>v3D}I$Y$JCHVJGN=pCa@6bIYK%i~lzD7<`
z5cJY{pD=#(?^BZA;P$Qs0k{>=^F}}+ss>m2ZXm|=vQu2C?XW7qk`eZ`&brC|*ZfZM
zzkYWsy^~=VibpmV)c=u&PqUKLpQ9{7lcritl+ag@E=9v3%aVpEr~@$z>p|G6W&ir$
zn8$+F-|y<kCBPZQ^V1=AmTul{Xs3G8p{_R1psM_{ckVsnaMHAb8-sxQ^Fp(s%%Lp+
zl-d|Mz{`8wwb^>LK14vY)vLm6a`jAKLX`O@5jFVlJicODTIj9rf(u<DmjQzUbI^%`
zZiIC!Mt`ambk~R`TQeNmEYThN78KSLI6bT^qY;C8H7%;7aR}xz%q-|5oK)kHLPeTV
zKfgWxBGROO|1>`UXU1>BfbQo?pA>~+TwEli74(=sYYov<Ly}_h3?}9^)8UN$4C8Rp
zvCVsM6ff>9G1j<#)AGr6C_C0f6%7;SnfTTMd$GX^pYeetmiCN;3iSXNwp3LUasX?G
zN-FnI2~9RD?JISTkEQoSMkXw0zI}{chDxx(g4PADomZ`(clmX(nGZ{zQO(+iT?eDs
zl6Bt0DgEoLkl^Q9A;MEVLPohcdA)2|ltEDj9k%9v^i4a<Xx&~$8F}H)#%m-m!KlMW
zo-$s!jfrI@gh}2)u?{>1Tu0s3xS}19?gN>O3HYK|a_2TImpwcuyOu~vTnvu%cb$Py
zhpQEjq|>T{^5y~iJ`dcCJl>`GHAbcqQ<05w%=qMH6&UHLXGp;kk0wv=GebnT;jN$t
zegA_VX)c4ML>avR`*mTLzL@06WZd?$S5k*Vx^x1#GwX(>`>fF)ww+7~r8GGeEf1ps
zo}1*MIku}2#?GphnOrBevL3f_*2#32<L*?+WtxwYl}2^U#AGWZ_uTnq<h+#+hsS+t
z?wv8cB{mXbQIbP1U>2XFHgwyW(L=74inx<ro_cO;=6MM&v)rs-nI+<#HeVRe+;aYi
ztnb#FxSZN#n3&y`7Y@3T=@N^aA>(Cm2Lq^FjqG|yT-+pc#5T9alAY%$=i_f!dvnPL
ztp|}xI3Cq=ZVpTuTd%C%Th@bVdQqObtD|gT>W{6}oy3~$KDN#sT*faCtWx2VsLPKR
zBf`+LZ9>#i2*ro=<}pi8gA<xuZPP*rIhJ>r373|*WGm*lEN>=XXSsjHB1Yq6{+(Z)
zt7LHh*Vzx{?`OaN3PWhEj1%X^s>(QVAg)?vYY#+4kP?&51X?2qbXqu<OXV(53QcE<
z`50btrg|D7f2J2br@!4a`oQjR3lw0xm5{mxbaxjS8q@#j!SeFS(o-t3au~R7Apqr&
z%@L3*l*w>Wm+9(;=S<~I!5l)!ex1n~e@scD59%&|NF+w4;9oo=H?KR*90+*BdTYHJ
zZL4fbW{ty#IjvjD<)OYgz9v9V!wZzb(4SPwG6eJdDeLo2fxUF~7We;!B4)D&txjyx
zowB(Lac*tWomVm@*9sMV(3eg>wZ;X`v2cwi-6ph!;(nAv;^{n|*i)6K>`S4uv<S7l
zHZ(-ua=*@Mz;p&KEGwFDr~-qXha7j+ju#{~R?RlNy2Ytkrj1;WAF?tCwPZBp%*@dv
zy%^WtgX}{t4n+xEqXY!FB1MNu476=(F!<y&v<c_2r5olcFIKd7$c_<bWGw3gZ>fY#
z+-(4bdS=WG1j)~671C+EU$Wt#7xdzfP!G~$tQOb%-*y<UBOD45W*3D%jb=n%7-cBu
zk?cff@k$-Y<jOZaB$FP(q8p4NEJ%a6ifLnY0U%e`rABQq*+*@RETmq<+UOhZ;O|Es
zrmLbBZyu9_SsdppPA_DdHC&RTdx^Mjc7ltXB2X2#WT{UpYMf)O8=%_Ut0g}6J~wVk
zdI5qnW`Q@Zj@EfIw*clWnjw=+Z($lX1HBx7GnoZ9;ojtQOTCNM%DQ|TCEs9*&g<rg
zk{hgH6>5)DRYua{ePGOA3fT1?;ov$CQx_5Dl<*jptS2PqP*|UjTlh#z+#okFBJ|TL
zW%U6_GP9yqb2qVFNK+qcaET#XwC0)$KarjLhG`aoDoHg#qfIVe)JawQb{^P>M)-cv
zhe{oY2PSKsw-VRx)U`i7{sdPT?>NT0H8K!`V^)_dF^;!SI5TeDsW~zSk;cIi0mG}x
zA>8HY`uy*P>*C(&w%M<EsPHR7`rqRr<p0<cHtuGYmin{~#xRr8Q&QBFG?EM7q-dxn
z$EWHQ=;xWXU><Cl=bc8RWxp;3yq6gtla`{PtyL(I4yU^LIU&OecW+xY4m)){jc_Mf
zFFrP0Z`%lN#=ywZHxH0INi>VwIZd}zH^9L}JiyVh2J9)z$L^RZBxhCU=ziD2Izd9k
z*+x3iwj3J(|7r~X*T()dPTUXtdd1kU@BcoD|J>OB|0L`k^ygFD*b`qjht`=4H@`2}
zMN$(7y$)jZ$v4%_2Lj56Edd!wLUl%>Ov6<_yBi4dQD~slgQ-#B<IvP4hmxI`1?Q2b
z_V2igC*3CRxqWz+9NsTJHy#h)JFBN&yDp~Q+jt3tU=R@(^_Odt2Y?0Ccn#;oVr$Ld
zA%J4(DJXing+SmH!9=<>eLaJp++qoB;Q$1dx7+kU5XkZCIo6L<k2g>hAH@iWyN961
zBC!+{)IcsGP~v@B+61I>c0!@zQoAMc9|8id1uQJgfmq?i&x(|>yd~}Os7Z@2`Q~8`
z!kj@065IXXKxYRwV|HY(h1z0;h~L5h;;{37*nv`1;9pe;cL;g7!-NY1kHLLB0`XYp
z5fng`KhLBvV%N{4qTq;;X+CNYOM7#}Gh2Y6Fntk2SwIM{YBF00p#&iQ_(;WOzb%n`
zq6yB@TS$qcB`zcS&+f3Bvj+t~789($jgS*c$h~Q50gr8F_!kJ2+CYnR6~7R(YDxcC
z0h1!wkq8#nW=4uwWciJa>~w9)t+DhcG;jzD>j?|llcAOXwCQ{Z{oB=TFDAVNZ!9pf
zAA=syX3Ks^JC>9c=cto~EUcw&Teei>H<u67LuDm><U~3a;~ZSFbLKRzusqv)KAr*D
zR-SYFtM=@iI}N8Z$B3HUcf>}{5_;xIUUO?>H3RA9b$Q})FN1p+ryM_y8^uBp&&hj;
zx<)ZLXGwqbn{cG;ouMd)I8ha2ylWWokCf7nhkn~m>*xKAr;uj>8)tX1Z`#}R#E_k?
z0m#tkgLBN4eG2KUx@-g+GSBL;O*U;e;mAw+9GQi>yzS+MYlR06(VpkE(7(MLTP<b2
zczMI*<{1XXe=4s1?V=B|ri#Wo?0Uxueqe(eGrR^^g=or-cz0h(>sb9HV9J*sncIF7
zc1|Cdd3|vCZr>n~+Wr>39ziKD)oJXNNo&nf+$7Pshjht)S0v>kaG1aS=K&V;9krtE
z@VfF<u*cv)=Cl*`4U;jCDuC?Ri8ntC;T1f@C!BVS;Akd-x`R%h0zt)OK4f(*RB&C0
z!EEx$oecXBm6&IaB1ht!`V4OeDxy8u8k6zB1F=xUX@GCFhCH}#SX%RBrJlG1Z$E60
zg^miYENz&t(q5!h+sdL&yvAzb!=BuDvmtUtI=TQbmX6Ra8%Ur<#?)}dk0#r`NAaQ}
zLM!v*=x&+LTOwfwVOpTpAjKTF7^RPj=|u}0NQjiuDeCU6w(DntZ-=owFEmvCc2s>(
zFEFpK3?0O=NNym|nzH(LphYAoc4>ON#Et26C<ZxUe$x=3o+&!0kbp95wgse{T+5Eg
zv#QO+#R2C`&DM_nM%wmgFOrXM=-f^Ev4XC?){#O0xUk3pj93W(bDSlVAO>}BAU_G>
z@ZeyuFrr~a$UuPF_do_h!zh_ZFRyQ2*JOhbU{IG9p`>{d!CQRNN1GqmS5ehZZL^%!
zY`GdqNW(C8zp^g}v072i8?NqVo1<lAJts^gnVj(0uWi|iiHr59Sc1{EIGkuNNmw(6
zwj$*qw5#)ITh{8=)=J^K)T_spDXTnvZmPE5*o`r6Rzn0`EwwS&i@D@-4puu}EuTv)
z!79k?2^V0uX(I(X-vJ}8t;?c^15x3?U4xXxwDafp7|~lVEIc^hk!I^jay<t(EZPiR
zEV@5saJ}f;=CKwzW0G6+Z_oxp6m1PtRw4(w?BV4a+M@so+(nbD@Lw0FC59PXUP_gB
z&T2G1+!o2|m&UXohIGvN>Y+bZ8w<^dv|HpYHJaG>Rc@$ZoZ@km5b|*#aoXI`*BVgX
z!x2$OT+Ozf9{4$Io0O1=96cErU$khIGE)9gna@rp&Et4gsi*g<WIUHy5V4R?potAR
zR}LztWKBQpU=rcUg&whlouJ(Y_k{LbM<9EU{*)<3IkrD0;jmKr=0LA$1t!S%u;#Tw
z)lTW3eg{h|`-JzKm?JYoYyEn9wCY%Aaa$M317XgFB5su!>jvYzRLWB;B;~h$kQr|{
z<5^a7h*c4`&x(~5C6bBfp;hw_3#3;|vdcw4&h3Q+c3h7MWzM9fD(u=ed;8hl@Y_7-
zP%3qNXNyNRm(f&UdU}i;G4&AYg0~y^QCY&T5pWejhYhiET@F4>^|eJXMldG<h|gr3
zP(Pa;<QFb&gHPG*JQymUfCx*9B*{6_9Vej==F^>kQtV;h>0BgJun%wCWMsA{`47n6
zOCQkDz8zw43Cu#{0cuytAI-;o+l8f2_3o8Ny$2-%f{0zS+kd(|@_M~wQ6PQl)eXDC
z8=RzLF*T4&E?TP0&32xTU-lP0jPAAipWm_Y_0#P_0?RBA_Q?<`)^27CaxS>P-&kb2
zwe_|7vy?`lzZF9V_fBlHg^CiZcv2NI7C(qib#X5Z7#bmrL)hAgb>%wG?=oZ2!hU0e
za=yiQcZm*>uU}j(ZzL&yjW!_-Gr5xlQ<`1>u|ccj0kF2-+GodZADvvLQe+aRgh%Xb
zH18(4n>5OR@F5<oeqiNJGVx&&?lDcs?(40$Uu_<BFbLN4trcC=bKG{$?9{%d!g@Pv
zC@=4}25vb~uhLVBTse`~!+$y(!Mv2iVfaoQpkCM5r7Ua}KWZz(ZRdC`bxz}-Zs6~C
zsCU6aGk{t*FSEOxzQ<r4-TOZA?L7QV!(m#J*|wJB-f5QU+`L4;e|qj#s<uA~?dL^V
zt?R@Mt=;`0d!=B=&`1RIt;Cyg%#E607O1z*jZN0v>X<^AYNd~;h*=-jttJZ}v^qRk
z7jgsda)<MyZ9kpU&5~pn$=Z=|kw*awGxOA%B&TEB$Hj-R6ORhFVtwoO%x~hX<l6D!
zrRML;&i%Av@Ab?E4!|Lu{_bO?Z75wp8Hy)Xt1mj&Tfl7OyCqJN%9jJ9g`Gd~8<Ful
zJv!g9<uLdehk;Ua|3JVMAiWXb04;vPVDJMazT?tkzf?yqV~`m^2U73kKnrz0M+w|{
z#(J~p9PpZ~1gJ1dhs{&cwdPgXC$!w^B2>*B2Ni$jgk%E)<^J-mK^TMAt5gGq3QVpT
zw8Nt5SJM6Lj>+als+NWOHVaD#834(;Q%Ydj%d=D=Kq4d(BVIT?jFNsac(r4;{cErL
zN-pWw8z1%uaO#j&w$8NfpYdL$HMg!7r+e@Trvj6+hlF&MdSvaYvmPF_pUWl{${U?3
zpQXJv$Ylr?yA<t(u=%W`9vWrZQp>mH(uZsOCok?7rl7Z|$dqdGiDq|Ya&5!!_Ay=0
zy@>^T)$F|iu#B09tTMa!jwG7XNe)B^b*F?~{M*z{1I!@hzLU)>>41gf=0c*<L2MW3
zwSz^M%ZNpqYiP*stl5Hfs&NV$hHv)^)>7>k3HW3`|1h>B#E}I8U;J31uoLSqq$#jF
z=T#wDF+IOBcy`Se$$Fwg*UqJibDopV!EnjR92wZ0RlrlC-EHI0HfDG(_UEp@cVWG^
zhI!P#7_&WVZ-rg(8Wn_#JP!i(cj5u15_=E?<}#ryVq$lUaJX0*(<ZGVn!-oOjfuQz
zFy+heV&);6ktsH@eYMEG;?i6U13V^a`CK*DNQ!LazSRpCqSR@wMw|iaTPsd~jd1OG
zBt>e2HX6Aji8+8Mp)pIl`y79=@J{j!y83k7gr<_`)M@DnY$&5Xb#U)^WuR#b2WBwf
z)Z)OdYHZgoMVmCA5(OhA&0`n6Ki%pnsR0>O55Cesyg^Qt*|0**Y!>A!eMkQiA{`Fr
zJ@p`T3=g|Ldd@4Q{c8G)brY<8Y%u=(b39aqW(5`q=+z1^TuxbxF9pI$%%=CuDVcSm
zWWc0n1CR^Cu|oiQzUc!2&HngsxVr6oc^c|Uy96Kg;R6rx*5VT=yhQaDzp?SaF8SyT
z_XQv^#)0STt#Pm4`u`k8+*Lt8ByEM5<*TR%;`0aIojcPz)@pN+=hCN*P3}62JC@JH
zB+F-L`@Y#+iHJE4AD0<7p*dlGe|G1$&wj~$g;ZVY1($U36rIp9t8!P^{NO6Cr77df
zaa?Gf<s1^vHVCKD<#V|^uf6%+CN_36ubG)6^N3#^%HE5IOTB;KSgz+lYo6j+nT>bv
z#y7{c=^dbaviY06=ki|OIzp-@<xSdF+2%=Z_J)Ku@J3<i-hF%istKJq70m8_I7p-;
zV2){4CzfE9w(Srr-Iln{ypzFj=<F3$#sxgh*kvBrsy&Y4&-~IX(JHz0E=1Td5d(ga
zU||TDY_*O6%l_zag$J2(Mcnt9V7ufap5V6ZGCUFG&R2i1ROBxIH7?`p`i#qh;p{+*
z?i6?XPcwIq;d*DX3c|jtpoNJPbXEKZSd$C)0h8`=E{mzc$aIZ+YIU%~)_Ii_^x1pP
z9n>9#hy~O;o<0do0q(gU!x~{GIkBL>HVl9K`MoN#k(@`)GAnUZQx3Bh4wAuN=*H<&
z)<4>pw2j`OU-xXc^Su3=RXW%ee^pp|(bpxzN}11Yr!P>$%u+{7xBi+Y>zB99)@??x
zIrDe6<y@vRLY+|#L_~5#=9+rHh3|rbj-gl_dD%MWTS1+)Ycuf<4H&!*o=UM!p$__t
zpFhIJ9du5jYHBu?5?Eu}WN6pB(P(p7?G2uveg3;pck*;E8viBo2L4rxlam4lK>_-=
z7MRW8(24*H5Ks*fFwkE*aQ|rr`i2%J_BKw|fG=IRe?qsofzk}rfPkKGL4f|M^8MR9
zza0Jt^s5GK`%gHGhbCPdArR13`M)&E{td^C1_JsLAagXb{!5PTpSZtk+QI)D^!0R5
z{de5|H0IwW*8X$0t=s?5!29R0f0tAH&)FL9{tt?5|Aha&c>kB?+P|&w3;usAu>I55
z-wUsQmHYo~!AQXWD7OAr*6p7@{+_`5&*`9{{L{x*!S<i<zvnvsN(TJfzT^E3{$Hbi
z<^2BX;qQrtzj7k~HZsD$d-(4R$v++ZeO3SGE1dpM4!*Jza#G-b$<+bDeSO}(5;fg)
JU)&0y{|5&_dyD`8

literal 0
HcmV?d00001

diff --git a/example/src/main/resources/static/img/eu-fund-flags.svg b/example/src/main/resources/static/img/eu-fund-flags.svg
new file mode 100644
index 0000000..0e99b0d
--- /dev/null
+++ b/example/src/main/resources/static/img/eu-fund-flags.svg
@@ -0,0 +1,787 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:xlink="http://www.w3.org/1999/xlink"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   width="155.9055pt"
+   height="90.7087pt"
+   viewBox="0 0 155.9055 90.7087"
+   version="1.2"
+   id="svg302"
+   sodipodi:docname="flags_coloured.svg"
+   inkscape:version="0.92.2 (unknown)">
+  <metadata
+     id="metadata306">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+        <dc:title></dc:title>
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <sodipodi:namedview
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1"
+     objecttolerance="10"
+     gridtolerance="10"
+     guidetolerance="10"
+     inkscape:pageopacity="0"
+     inkscape:pageshadow="2"
+     inkscape:window-width="1920"
+     inkscape:window-height="1017"
+     id="namedview304"
+     showgrid="false"
+     inkscape:zoom="6.821286"
+     inkscape:cx="103.937"
+     inkscape:cy="60.472468"
+     inkscape:window-x="0"
+     inkscape:window-y="27"
+     inkscape:window-maximized="1"
+     inkscape:current-layer="svg302" />
+  <defs
+     id="defs135">
+    <g
+       id="g130">
+      <symbol
+         overflow="visible"
+         id="glyph0-0">
+        <path
+           style="stroke:none;"
+           d=""
+           id="path64" />
+      </symbol>
+      <symbol
+         overflow="visible"
+         id="glyph0-1">
+        <path
+           style="stroke:none;"
+           d="M 0.4375 -0.15625 L 0.4375 -5.96875 L 4.90625 -5.96875 L 4.90625 -4.984375 L 1.5625 -4.984375 L 1.5625 -3.5625 L 4.6875 -3.5625 L 4.6875 -2.59375 L 1.5625 -2.59375 L 1.5625 -0.96875 L 5.03125 -0.96875 L 5.03125 0 L 0.4375 0 Z M 0.4375 -0.15625 "
+           id="path67" />
+      </symbol>
+      <symbol
+         overflow="visible"
+         id="glyph0-2">
+        <path
+           style="stroke:none;"
+           d="M 3.015625 -0.15625 L 3.015625 -0.75 L 3.34375 -0.640625 C 3.015625 -0.1875 2.453125 0.09375 1.90625 0.09375 C 1.671875 0.09375 1.4375 0.046875 1.234375 -0.046875 C 1.015625 -0.140625 0.734375 -0.296875 0.625 -0.4375 C 0.53125 -0.578125 0.40625 -0.859375 0.359375 -1.0625 C 0.328125 -1.203125 0.3125 -1.421875 0.3125 -1.703125 L 0.3125 -4.40625 L 1.390625 -4.40625 L 1.390625 -1.96875 C 1.390625 -1.609375 1.40625 -1.375 1.421875 -1.234375 C 1.46875 -1.0625 1.515625 -1.015625 1.640625 -0.921875 C 1.78125 -0.8125 1.84375 -0.8125 2.046875 -0.8125 C 2.25 -0.8125 2.3125 -0.8125 2.5 -0.921875 C 2.6875 -1.03125 2.765625 -1.0625 2.828125 -1.25 C 2.90625 -1.4375 2.953125 -1.703125 2.953125 -2.0625 L 2.953125 -4.40625 L 4.015625 -4.40625 L 4.015625 0 L 3.015625 0 Z M 3.015625 -0.15625 "
+           id="path70" />
+      </symbol>
+      <symbol
+         overflow="visible"
+         id="glyph0-3">
+        <path
+           style="stroke:none;"
+           d="M 0.328125 -0.15625 L 0.328125 -4.40625 L 1.328125 -4.40625 L 1.328125 -3.625 L 1 -3.734375 C 1.15625 -4.03125 1.3125 -4.21875 1.453125 -4.3125 C 1.578125 -4.390625 1.859375 -4.484375 2.03125 -4.484375 C 2.265625 -4.484375 2.625 -4.375 2.953125 -4.171875 L 2.578125 -3.21875 C 2.203125 -3.46875 2.171875 -3.484375 2 -3.484375 C 1.84375 -3.484375 1.828125 -3.46875 1.703125 -3.375 C 1.59375 -3.28125 1.5625 -3.265625 1.515625 -3.109375 C 1.4375 -2.859375 1.390625 -2.59375 1.390625 -2.296875 L 1.390625 0 L 0.328125 0 Z M 0.328125 -0.15625 "
+           id="path73" />
+      </symbol>
+      <symbol
+         overflow="visible"
+         id="glyph0-4">
+        <path
+           style="stroke:none;"
+           d="M 0.078125 -2.203125 C 0.078125 -2.953125 0.34375 -3.625 0.765625 -4 C 1.109375 -4.296875 1.671875 -4.484375 2.1875 -4.484375 C 2.75 -4.484375 3.34375 -4.265625 3.6875 -3.890625 C 4.0625 -3.53125 4.28125 -2.90625 4.28125 -2.265625 C 4.28125 -1.734375 4.15625 -1.203125 4 -0.90625 C 3.828125 -0.59375 3.609375 -0.359375 3.3125 -0.203125 C 3 -0.03125 2.546875 0.09375 2.1875 0.09375 C 1.609375 0.09375 1.015625 -0.140625 0.65625 -0.5 C 0.3125 -0.875 0.078125 -1.515625 0.078125 -2.203125 Z M 1.15625 -2.203125 C 1.15625 -1.671875 1.21875 -1.390625 1.453125 -1.125 C 1.671875 -0.859375 1.84375 -0.78125 2.1875 -0.78125 C 2.53125 -0.78125 2.6875 -0.859375 2.90625 -1.125 C 3.140625 -1.390625 3.203125 -1.6875 3.203125 -2.21875 C 3.203125 -2.734375 3.140625 -3 2.90625 -3.265625 C 2.6875 -3.53125 2.53125 -3.625 2.1875 -3.625 C 1.84375 -3.625 1.671875 -3.53125 1.453125 -3.265625 C 1.21875 -3 1.15625 -2.734375 1.15625 -2.203125 Z M 1.15625 -2.203125 "
+           id="path76" />
+      </symbol>
+      <symbol
+         overflow="visible"
+         id="glyph0-5">
+        <path
+           style="stroke:none;"
+           d="M 0.328125 1.421875 L 0.328125 -4.40625 L 1.34375 -4.40625 L 1.34375 -3.71875 L 1.015625 -3.8125 C 1.171875 -4.03125 1.34375 -4.1875 1.53125 -4.296875 C 1.71875 -4.390625 2.078125 -4.484375 2.34375 -4.484375 C 2.703125 -4.484375 3.125 -4.359375 3.40625 -4.171875 C 3.671875 -4 3.921875 -3.640625 4.0625 -3.3125 C 4.203125 -2.984375 4.265625 -2.625 4.265625 -2.234375 C 4.265625 -1.8125 4.1875 -1.4375 4.046875 -1.09375 C 3.890625 -0.765625 3.609375 -0.390625 3.328125 -0.21875 C 3.03125 -0.046875 2.609375 0.09375 2.296875 0.09375 C 2.0625 0.09375 1.71875 0.015625 1.53125 -0.09375 C 1.359375 -0.1875 1.203125 -0.3125 1.078125 -0.46875 L 1.40625 -0.578125 L 1.40625 1.578125 L 0.328125 1.578125 Z M 1.34375 -2.171875 C 1.34375 -1.65625 1.390625 -1.359375 1.59375 -1.109375 C 1.8125 -0.859375 1.9375 -0.78125 2.25 -0.78125 C 2.546875 -0.78125 2.6875 -0.859375 2.90625 -1.125 C 3.125 -1.390625 3.171875 -1.6875 3.171875 -2.234375 C 3.171875 -2.765625 3.125 -3.03125 2.921875 -3.296875 C 2.703125 -3.5625 2.578125 -3.65625 2.28125 -3.65625 C 1.984375 -3.65625 1.84375 -3.546875 1.625 -3.265625 C 1.390625 -3 1.34375 -2.703125 1.34375 -2.171875 Z M 1.34375 -2.171875 "
+           id="path79" />
+      </symbol>
+      <symbol
+         overflow="visible"
+         id="glyph0-6">
+        <path
+           style="stroke:none;"
+           d="M 3.328125 -0.546875 C 3.0625 -0.328125 2.6875 -0.140625 2.453125 -0.046875 C 2.21875 0.046875 1.953125 0.09375 1.6875 0.09375 C 1.234375 0.09375 0.765625 -0.0625 0.515625 -0.28125 C 0.28125 -0.5 0.09375 -0.890625 0.09375 -1.234375 C 0.09375 -1.4375 0.203125 -1.71875 0.296875 -1.875 C 0.375 -2.046875 0.5 -2.1875 0.640625 -2.28125 C 0.796875 -2.390625 1.09375 -2.5 1.28125 -2.5625 C 1.421875 -2.59375 1.625 -2.625 1.890625 -2.671875 C 2.453125 -2.734375 2.875 -2.8125 2.953125 -2.828125 C 2.953125 -2.84375 2.953125 -2.90625 2.953125 -2.9375 C 2.953125 -3.21875 2.9375 -3.3125 2.8125 -3.421875 C 2.625 -3.578125 2.5 -3.625 2.15625 -3.625 C 1.828125 -3.625 1.71875 -3.59375 1.5625 -3.484375 C 1.40625 -3.375 1.34375 -3.28125 1.21875 -2.8125 L 0.1875 -2.953125 C 0.28125 -3.375 0.4375 -3.703125 0.578125 -3.890625 C 0.71875 -4.0625 1.0625 -4.25 1.328125 -4.34375 C 1.59375 -4.4375 1.90625 -4.484375 2.25 -4.484375 C 2.609375 -4.484375 2.890625 -4.453125 3.109375 -4.375 C 3.328125 -4.28125 3.609375 -4.140625 3.71875 -4.015625 C 3.8125 -3.890625 3.9375 -3.625 4 -3.4375 C 4.015625 -3.328125 4.03125 -3.109375 4.03125 -2.796875 L 4.03125 -1.859375 C 4.03125 -1.21875 4.046875 -0.8125 4.078125 -0.640625 C 4.09375 -0.46875 4.109375 -0.40625 4.328125 0 L 3.21875 0 C 3.125 -0.1875 3.03125 -0.46875 3.046875 -0.3125 Z M 3.140625 -2.0625 C 2.890625 -1.953125 2.5 -1.859375 2.015625 -1.796875 C 1.71875 -1.75 1.515625 -1.703125 1.40625 -1.65625 C 1.28125 -1.609375 1.3125 -1.578125 1.25 -1.46875 C 1.1875 -1.375 1.203125 -1.375 1.203125 -1.25 C 1.203125 -1.0625 1.21875 -1.015625 1.375 -0.890625 C 1.5 -0.765625 1.578125 -0.75 1.84375 -0.75 C 2.125 -0.75 2.21875 -0.765625 2.4375 -0.875 C 2.640625 -1 2.75 -1.0625 2.84375 -1.25 C 2.90625 -1.421875 2.953125 -1.640625 2.953125 -1.953125 L 2.953125 -1.96875 Z M 3.140625 -2.0625 "
+           id="path82" />
+      </symbol>
+      <symbol
+         overflow="visible"
+         id="glyph0-7">
+        <path
+           style="stroke:none;"
+           d=""
+           id="path85" />
+      </symbol>
+      <symbol
+         overflow="visible"
+         id="glyph0-8">
+        <path
+           style="stroke:none;"
+           d="M 0.390625 -0.15625 L 0.390625 -5.96875 L 1.515625 -5.96875 L 1.515625 -0.96875 L 4.296875 -0.96875 L 4.296875 0 L 0.390625 0 Z M 0.390625 -0.15625 "
+           id="path88" />
+      </symbol>
+      <symbol
+         overflow="visible"
+         id="glyph0-9">
+        <path
+           style="stroke:none;"
+           d="M 0.328125 -5.015625 L 0.328125 -5.96875 L 1.40625 -5.96875 L 1.40625 -4.859375 L 0.328125 -4.859375 Z M 0.328125 -0.15625 L 0.328125 -4.40625 L 1.40625 -4.40625 L 1.40625 0 L 0.328125 0 Z M 0.328125 -0.15625 "
+           id="path91" />
+      </symbol>
+      <symbol
+         overflow="visible"
+         id="glyph0-10">
+        <path
+           style="stroke:none;"
+           d="M 2.21875 -0.78125 L 2.34375 -0.046875 C 1.9375 0.03125 1.765625 0.0625 1.609375 0.0625 C 1.359375 0.0625 1.03125 -0.03125 0.890625 -0.109375 C 0.75 -0.1875 0.59375 -0.40625 0.546875 -0.53125 C 0.484375 -0.671875 0.453125 -0.9375 0.453125 -1.359375 L 0.453125 -3.5625 L -0.046875 -3.5625 L -0.046875 -4.40625 L 0.453125 -4.40625 L 0.453125 -5.34375 L 1.53125 -5.984375 L 1.53125 -4.40625 L 2.21875 -4.40625 L 2.21875 -3.5625 L 1.53125 -3.5625 L 1.53125 -1.3125 C 1.53125 -1.109375 1.53125 -0.984375 1.5625 -0.9375 C 1.578125 -0.875 1.5625 -0.9375 1.625 -0.90625 C 1.671875 -0.859375 1.625 -0.890625 1.734375 -0.890625 C 1.8125 -0.890625 1.90625 -0.90625 2.1875 -0.953125 Z M 2.21875 -0.78125 "
+           id="path94" />
+      </symbol>
+      <symbol
+         overflow="visible"
+         id="glyph0-11">
+        <path
+           style="stroke:none;"
+           d="M 0.4375 -0.15625 L 0.4375 -5.96875 L 3.125 -5.96875 C 3.640625 -5.96875 4.015625 -5.90625 4.28125 -5.8125 C 4.546875 -5.703125 4.875 -5.484375 5.03125 -5.21875 C 5.1875 -4.96875 5.328125 -4.578125 5.328125 -4.265625 C 5.328125 -3.859375 5.140625 -3.421875 4.890625 -3.140625 C 4.625 -2.859375 4.09375 -2.65625 3.546875 -2.578125 L 3.546875 -2.875 C 3.75 -2.78125 4.03125 -2.640625 4.125 -2.546875 C 4.34375 -2.34375 4.546875 -2.09375 4.75 -1.796875 L 5.90625 0 L 4.5625 0 L 3.78125 -1.21875 C 3.5625 -1.5625 3.390625 -1.8125 3.234375 -2 C 3.09375 -2.171875 2.96875 -2.296875 2.859375 -2.375 C 2.75 -2.453125 2.78125 -2.453125 2.65625 -2.484375 C 2.5625 -2.5 2.4375 -2.515625 2.234375 -2.515625 L 1.546875 -2.515625 L 1.546875 0 L 0.4375 0 Z M 1.375 -3.46875 L 2.984375 -3.46875 C 3.328125 -3.46875 3.59375 -3.5 3.78125 -3.5625 C 3.984375 -3.640625 4 -3.703125 4.09375 -3.859375 C 4.1875 -4.015625 4.1875 -4.078125 4.1875 -4.265625 C 4.1875 -4.53125 4.140625 -4.640625 3.9375 -4.8125 C 3.75 -4.984375 3.578125 -5.03125 3.15625 -5.03125 L 1.546875 -5.03125 L 1.546875 -3.46875 Z M 1.375 -3.46875 "
+           id="path97" />
+      </symbol>
+      <symbol
+         overflow="visible"
+         id="glyph0-12">
+        <path
+           style="stroke:none;"
+           d="M 3.328125 -1.625 L 4.265625 -1.5 C 4.109375 -0.96875 3.84375 -0.53125 3.546875 -0.296875 C 3.234375 -0.0625 2.71875 0.09375 2.25 0.09375 C 1.640625 0.09375 1.03125 -0.140625 0.6875 -0.5 C 0.328125 -0.875 0.109375 -1.5 0.109375 -2.171875 C 0.109375 -2.859375 0.328125 -3.5 0.6875 -3.875 C 1.046875 -4.25 1.640625 -4.484375 2.203125 -4.484375 C 2.75 -4.484375 3.328125 -4.265625 3.671875 -3.890625 C 4.03125 -3.515625 4.25 -2.890625 4.25 -2.203125 C 4.25 -2.171875 4.25 -2.109375 4.234375 -1.875 L 1.203125 -1.875 C 1.21875 -1.578125 1.28125 -1.328125 1.515625 -1.09375 C 1.75 -0.859375 1.90625 -0.78125 2.25 -0.78125 C 2.5 -0.78125 2.578125 -0.796875 2.765625 -0.9375 C 2.953125 -1.0625 3.03125 -1.171875 3.1875 -1.640625 Z M 1.046875 -2.75 L 3.125 -2.75 C 3.109375 -2.9375 3.078125 -3.09375 2.9375 -3.25 C 2.71875 -3.53125 2.5625 -3.625 2.21875 -3.625 C 1.890625 -3.625 1.75 -3.5625 1.53125 -3.34375 C 1.328125 -3.125 1.25 -2.953125 1.234375 -2.75 Z M 1.046875 -2.75 "
+           id="path100" />
+      </symbol>
+      <symbol
+         overflow="visible"
+         id="glyph0-13">
+        <path
+           style="stroke:none;"
+           d="M 0.390625 0.046875 L 1.21875 0.171875 C 1.28125 0.5 1.296875 0.546875 1.4375 0.640625 C 1.609375 0.78125 1.71875 0.796875 2.015625 0.796875 C 2.328125 0.796875 2.453125 0.78125 2.625 0.640625 C 2.796875 0.515625 2.859375 0.4375 2.921875 0.203125 C 2.953125 0.0625 2.96875 -0.234375 2.96875 -0.6875 L 3.28125 -0.578125 C 2.984375 -0.21875 2.484375 0 2.03125 0 C 1.46875 0 0.890625 -0.25 0.578125 -0.640625 C 0.28125 -1.0625 0.0625 -1.65625 0.0625 -2.21875 C 0.0625 -2.609375 0.140625 -2.96875 0.28125 -3.3125 C 0.421875 -3.640625 0.6875 -4 0.953125 -4.171875 C 1.21875 -4.359375 1.671875 -4.484375 2.03125 -4.484375 C 2.515625 -4.484375 3.046875 -4.25 3.359375 -3.859375 L 3.03125 -3.75 L 3.03125 -4.40625 L 4.046875 -4.40625 L 4.046875 -0.703125 C 4.046875 -0.078125 3.984375 0.390625 3.9375 0.46875 C 3.671875 1.03125 3.46875 1.234375 3.1875 1.390625 C 2.90625 1.546875 2.421875 1.671875 2.015625 1.671875 C 1.53125 1.671875 1 1.515625 0.703125 1.296875 C 0.390625 1.078125 0.203125 0.625 0.203125 0.015625 Z M 1.15625 -2.28125 C 1.15625 -1.734375 1.203125 -1.453125 1.421875 -1.203125 C 1.625 -0.953125 1.765625 -0.875 2.09375 -0.875 C 2.40625 -0.875 2.546875 -0.953125 2.765625 -1.1875 C 2.984375 -1.453125 3.03125 -1.71875 3.03125 -2.25 C 3.03125 -2.75 2.96875 -3.015625 2.75 -3.265625 C 2.53125 -3.53125 2.390625 -3.625 2.078125 -3.625 C 1.765625 -3.625 1.640625 -3.53125 1.421875 -3.28125 C 1.203125 -3.03125 1.15625 -2.765625 1.15625 -2.28125 Z M 1.15625 -2.28125 "
+           id="path103" />
+      </symbol>
+      <symbol
+         overflow="visible"
+         id="glyph0-14">
+        <path
+           style="stroke:none;"
+           d="M 0.328125 -0.15625 L 0.328125 -4.40625 L 1.328125 -4.40625 L 1.328125 -3.671875 L 1.015625 -3.765625 C 1.3125 -4.21875 1.875 -4.484375 2.453125 -4.484375 C 2.703125 -4.484375 2.921875 -4.453125 3.125 -4.359375 C 3.34375 -4.265625 3.625 -4.109375 3.71875 -3.96875 C 3.828125 -3.8125 3.953125 -3.546875 4 -3.34375 C 4.03125 -3.21875 4.03125 -3 4.03125 -2.671875 L 4.03125 0 L 2.96875 0 L 2.96875 -2.65625 C 2.96875 -2.921875 2.9375 -3.140625 2.890625 -3.28125 C 2.828125 -3.421875 2.796875 -3.421875 2.65625 -3.5 C 2.515625 -3.59375 2.484375 -3.59375 2.3125 -3.59375 C 2.015625 -3.59375 1.875 -3.53125 1.671875 -3.359375 C 1.453125 -3.15625 1.40625 -2.921875 1.40625 -2.390625 L 1.40625 0 L 0.328125 0 Z M 0.328125 -0.15625 "
+           id="path106" />
+      </symbol>
+      <symbol
+         overflow="visible"
+         id="glyph0-15">
+        <path
+           style="stroke:none;"
+           d="M 0.3125 -0.15625 L 0.3125 -5.96875 L 1.390625 -5.96875 L 1.390625 0 L 0.3125 0 Z M 0.3125 -0.15625 "
+           id="path109" />
+      </symbol>
+      <symbol
+         overflow="visible"
+         id="glyph0-16">
+        <path
+           style="stroke:none;"
+           d="M 0.453125 -0.15625 L 0.453125 -5.96875 L 4.65625 -5.96875 L 4.65625 -4.984375 L 1.578125 -4.984375 L 1.578125 -3.546875 L 4.234375 -3.546875 L 4.234375 -2.5625 L 1.578125 -2.5625 L 1.578125 0 L 0.453125 0 Z M 0.453125 -0.15625 "
+           id="path112" />
+      </symbol>
+      <symbol
+         overflow="visible"
+         id="glyph0-17">
+        <path
+           style="stroke:none;"
+           d="M 2.984375 -0.15625 L 2.984375 -0.671875 L 3.3125 -0.5625 C 3.046875 -0.15625 2.53125 0.09375 2.03125 0.09375 C 1.703125 0.09375 1.265625 -0.046875 1 -0.21875 C 0.734375 -0.390625 0.453125 -0.765625 0.3125 -1.078125 C 0.15625 -1.40625 0.078125 -1.78125 0.078125 -2.203125 C 0.078125 -2.609375 0.15625 -2.984375 0.28125 -3.3125 C 0.421875 -3.640625 0.6875 -4 0.953125 -4.1875 C 1.21875 -4.359375 1.671875 -4.484375 2.015625 -4.484375 C 2.25 -4.484375 2.59375 -4.390625 2.796875 -4.296875 C 2.984375 -4.1875 3.140625 -4.046875 3.265625 -3.875 L 2.953125 -3.78125 L 2.953125 -5.96875 L 4.015625 -5.96875 L 4.015625 0 L 2.984375 0 Z M 1.171875 -2.203125 C 1.171875 -1.671875 1.21875 -1.390625 1.453125 -1.125 C 1.671875 -0.859375 1.796875 -0.78125 2.109375 -0.78125 C 2.40625 -0.78125 2.53125 -0.859375 2.75 -1.109375 C 2.953125 -1.359375 3 -1.625 3 -2.140625 C 3 -2.703125 2.953125 -3 2.734375 -3.265625 C 2.515625 -3.53125 2.390625 -3.625 2.078125 -3.625 C 1.765625 -3.625 1.625 -3.53125 1.421875 -3.28125 C 1.21875 -3.03125 1.171875 -2.75 1.171875 -2.203125 Z M 1.171875 -2.203125 "
+           id="path115" />
+      </symbol>
+      <symbol
+         overflow="visible"
+         id="glyph0-18">
+        <path
+           style="stroke:none;"
+           d="M 0.25 -1.53125 L 1.09375 -1.65625 C 1.15625 -1.203125 1.203125 -1.09375 1.390625 -0.953125 C 1.5625 -0.8125 1.671875 -0.78125 2 -0.78125 C 2.3125 -0.78125 2.40625 -0.796875 2.5625 -0.921875 C 2.71875 -1.0625 2.75 -1.109375 2.75 -1.28125 C 2.75 -1.4375 2.734375 -1.453125 2.59375 -1.546875 C 2.5 -1.609375 2.390625 -1.640625 2.015625 -1.734375 C 1.515625 -1.859375 1.15625 -1.96875 0.953125 -2.078125 L 0.828125 -2.109375 C 0.625 -2.203125 0.484375 -2.328125 0.375 -2.5 C 0.28125 -2.671875 0.171875 -2.96875 0.171875 -3.15625 C 0.171875 -3.34375 0.265625 -3.609375 0.34375 -3.765625 C 0.4375 -3.921875 0.546875 -4.0625 0.703125 -4.15625 C 0.796875 -4.234375 1.078125 -4.359375 1.265625 -4.40625 C 1.453125 -4.46875 1.65625 -4.484375 1.859375 -4.484375 C 2.1875 -4.484375 2.46875 -4.4375 2.71875 -4.359375 C 2.953125 -4.265625 3.265625 -4.09375 3.390625 -3.921875 C 3.5 -3.765625 3.625 -3.453125 3.703125 -3.0625 L 2.65625 -2.921875 C 2.59375 -3.3125 2.5625 -3.375 2.40625 -3.484375 C 2.265625 -3.609375 2.1875 -3.625 1.921875 -3.625 C 1.59375 -3.625 1.5 -3.609375 1.359375 -3.5 C 1.21875 -3.40625 1.203125 -3.390625 1.203125 -3.234375 C 1.203125 -3.15625 1.1875 -3.171875 1.234375 -3.09375 C 1.296875 -3.03125 1.265625 -3.015625 1.390625 -2.96875 C 1.453125 -2.9375 1.65625 -2.875 2 -2.796875 C 2.484375 -2.65625 2.828125 -2.546875 3.03125 -2.46875 C 3.21875 -2.375 3.5 -2.21875 3.609375 -2.0625 C 3.71875 -1.890625 3.828125 -1.59375 3.828125 -1.359375 C 3.828125 -1.125 3.703125 -0.796875 3.578125 -0.59375 C 3.4375 -0.390625 3.109375 -0.1875 2.859375 -0.078125 C 2.609375 0.046875 2.3125 0.09375 2 0.09375 C 1.46875 0.09375 0.921875 -0.0625 0.640625 -0.28125 C 0.359375 -0.5 0.140625 -0.9375 0.03125 -1.484375 Z M 0.25 -1.53125 "
+           id="path118" />
+      </symbol>
+      <symbol
+         overflow="visible"
+         id="glyph0-19">
+        <path
+           style="stroke:none;"
+           d="M 1.46875 -0.15625 L -0.140625 -4.40625 L 0.96875 -4.40625 L 1.890625 -1.796875 C 2 -1.53125 2.078125 -1.25 2.15625 -0.96875 L 1.78125 -0.96875 C 1.84375 -1.1875 1.9375 -1.453125 2.046875 -1.75 L 3.015625 -4.40625 L 4.09375 -4.40625 L 2.4375 0 L 1.53125 0 Z M 1.46875 -0.15625 "
+           id="path121" />
+      </symbol>
+      <symbol
+         overflow="visible"
+         id="glyph0-20">
+        <path
+           style="stroke:none;"
+           d="M 0.328125 -0.15625 L 0.328125 -5.96875 L 1.40625 -5.96875 L 1.40625 -2.578125 L 1.078125 -2.6875 L 2.78125 -4.40625 L 4.15625 -4.40625 L 2.40625 -2.703125 L 4.21875 0 L 2.96875 0 L 1.671875 -1.984375 L 1.40625 -1.71875 L 1.40625 0 L 0.328125 0 Z M 0.328125 -0.15625 "
+           id="path124" />
+      </symbol>
+      <symbol
+         overflow="visible"
+         id="glyph0-21">
+        <path
+           style="stroke:none;"
+           d="M 0.328125 -0.15625 L 0.328125 -5.96875 L 1.40625 -5.96875 L 1.40625 -3.78125 L 1.078125 -3.875 C 1.40625 -4.265625 1.953125 -4.484375 2.4375 -4.484375 C 2.75 -4.484375 3.140625 -4.390625 3.359375 -4.265625 C 3.59375 -4.15625 3.796875 -3.875 3.890625 -3.671875 C 4 -3.453125 4.046875 -3.140625 4.046875 -2.75 L 4.046875 0 L 2.96875 0 L 2.96875 -2.75 C 2.96875 -3.09375 2.953125 -3.234375 2.8125 -3.40625 C 2.65625 -3.5625 2.578125 -3.59375 2.296875 -3.59375 C 2.09375 -3.59375 2.03125 -3.578125 1.84375 -3.46875 C 1.671875 -3.375 1.59375 -3.34375 1.515625 -3.140625 C 1.4375 -2.96875 1.40625 -2.71875 1.40625 -2.390625 L 1.40625 0 L 0.328125 0 Z M 0.328125 -0.15625 "
+           id="path127" />
+      </symbol>
+    </g>
+    <clipPath
+       id="clip1">
+      <path
+         d="M 0 0 L 155.90625 0 L 155.90625 90.707031 L 0 90.707031 Z M 0 0 "
+         id="path132" />
+    </clipPath>
+  </defs>
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-1"
+     x="23.6784"
+     y="68.544899"
+     id="use141"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-2"
+     x="28.95237"
+     y="68.544899"
+     id="use143"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-3"
+     x="33.34866"
+     y="68.544899"
+     id="use145"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-4"
+     x="35.981693"
+     y="68.544899"
+     id="use147"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-4"
+     x="40.377983"
+     y="68.544899"
+     id="use149"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-5"
+     x="44.774277"
+     y="68.544899"
+     id="use151"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-6"
+     x="49.170567"
+     y="68.544899"
+     id="use153"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-7"
+     x="53.56686"
+     y="68.544899"
+     id="use155"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-8"
+     x="55.765007"
+     y="68.544899"
+     id="use157"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-9"
+     x="60.161297"
+     y="68.544899"
+     id="use159"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-9"
+     x="61.916653"
+     y="68.544899"
+     id="use161"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-10"
+     x="63.672005"
+     y="68.544899"
+     id="use163"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-1"
+     x="29.8304"
+     y="76.615097"
+     id="use167"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-2"
+     x="35.10437"
+     y="76.615097"
+     id="use169"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-3"
+     x="39.50066"
+     y="76.615097"
+     id="use171"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-4"
+     x="42.133694"
+     y="76.615097"
+     id="use173"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-4"
+     x="46.529984"
+     y="76.615097"
+     id="use175"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-5"
+     x="50.926277"
+     y="76.615097"
+     id="use177"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-6"
+     x="55.322567"
+     y="76.615097"
+     id="use179"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-11"
+     x="4.5524001"
+     y="84.6856"
+     id="use183"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-12"
+     x="10.261254"
+     y="84.6856"
+     id="use185"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-13"
+     x="14.657546"
+     y="84.6856"
+     id="use187"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-9"
+     x="19.053839"
+     y="84.6856"
+     id="use189"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-4"
+     x="20.809193"
+     y="84.6856"
+     id="use191"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-14"
+     x="25.205484"
+     y="84.6856"
+     id="use193"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-6"
+     x="29.601776"
+     y="84.6856"
+     id="use195"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-6"
+     x="33.99807"
+     y="84.6856"
+     id="use197"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-15"
+     x="38.39436"
+     y="84.6856"
+     id="use199"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-6"
+     x="40.149715"
+     y="84.6856"
+     id="use201"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-3"
+     x="44.546005"
+     y="84.6856"
+     id="use203"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-12"
+     x="47.179035"
+     y="84.6856"
+     id="use205"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-14"
+     x="51.575329"
+     y="84.6856"
+     id="use207"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-13"
+     x="55.971622"
+     y="84.6856"
+     id="use209"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-2"
+     x="60.367912"
+     y="84.6856"
+     id="use211"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-7"
+     x="64.764206"
+     y="84.6856"
+     id="use213"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-16"
+     x="66.962349"
+     y="84.6856"
+     id="use215"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-4"
+     x="71.793526"
+     y="84.6856"
+     id="use217"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-14"
+     x="76.189819"
+     y="84.6856"
+     id="use219"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-17"
+     x="80.586113"
+     y="84.6856"
+     id="use221"
+     width="100%"
+     height="100%" />
+  <path
+     inkscape:connector-curvature="0"
+     id="path225"
+     d="M 5.660156,5.734375 H 83.589844 V 57.863281 H 5.660156 Z m 0,0"
+     style="fill:#2347a3;fill-opacity:1;fill-rule:evenodd;stroke:none" />
+  <path
+     inkscape:connector-curvature="0"
+     id="path227"
+     d="m 45.199219,13.324219 h 2.246093 l -1.8125,1.359375 0.703126,2.152344 -1.804688,-1.320313 -1.800781,1.320313 0.710937,-2.152344 -1.828125,-1.359375 h 2.246094 l 0.671875,-2.097657 z m 0,0"
+     style="fill:#fff000;fill-opacity:1;fill-rule:evenodd;stroke:none" />
+  <path
+     inkscape:connector-curvature="0"
+     id="path229"
+     d="m 45.296875,48.0625 h 2.246094 l -1.804688,1.355469 0.695313,2.15625 -1.800782,-1.328125 -1.804687,1.328125 0.714844,-2.15625 -1.828125,-1.355469 h 2.238281 l 0.679687,-2.097656 z m 0,0"
+     style="fill:#fff000;fill-opacity:1;fill-rule:evenodd;stroke:none" />
+  <path
+     inkscape:connector-curvature="0"
+     id="path231"
+     d="m 53.894531,45.761719 h 2.25 l -1.8125,1.355469 0.703125,2.148437 -1.800781,-1.324219 -1.8125,1.324219 0.714844,-2.148437 -1.824219,-1.355469 h 2.242188 l 0.679687,-2.105469 z m 0,0"
+     style="fill:#fff000;fill-opacity:1;fill-rule:evenodd;stroke:none" />
+  <path
+     inkscape:connector-curvature="0"
+     id="path233"
+     d="m 53.894531,15.613281 h 2.25 l -1.8125,1.359375 0.703125,2.148438 -1.800781,-1.324219 -1.8125,1.324219 0.714844,-2.148438 -1.824219,-1.359375 h 2.242188 l 0.679687,-2.097656 z m 0,0"
+     style="fill:#fff000;fill-opacity:1;fill-rule:evenodd;stroke:none" />
+  <path
+     inkscape:connector-curvature="0"
+     id="path235"
+     d="m 60.28125,21.992188 h 2.238281 l -1.804687,1.355468 0.703125,2.160156 -1.800781,-1.328124 -1.804688,1.328124 0.707031,-2.160156 -1.824219,-1.355468 h 2.238282 l 0.683594,-2.09375 z m 0,0"
+     style="fill:#fff000;fill-opacity:1;fill-rule:evenodd;stroke:none" />
+  <path
+     inkscape:connector-curvature="0"
+     id="path237"
+     d="m 60.28125,39.460938 h 2.238281 l -1.804687,1.355468 0.703125,2.152344 -1.800781,-1.320312 -1.804688,1.320312 0.707031,-2.152344 -1.824219,-1.355468 h 2.238282 l 0.683594,-2.097657 z m 0,0"
+     style="fill:#fff000;fill-opacity:1;fill-rule:evenodd;stroke:none" />
+  <path
+     inkscape:connector-curvature="0"
+     id="path239"
+     d="m 62.671875,30.597656 h 2.246094 l -1.808594,1.355469 0.699219,2.15625 -1.800782,-1.324219 -1.804687,1.324219 0.714844,-2.15625 -1.824219,-1.355469 h 2.234375 l 0.679687,-2.101562 z m 0,0"
+     style="fill:#fff000;fill-opacity:1;fill-rule:evenodd;stroke:none" />
+  <path
+     inkscape:connector-curvature="0"
+     id="path241"
+     d="m 36.429688,15.636719 h 2.246093 l -1.8125,1.359375 0.707031,2.148437 -1.804687,-1.328125 -1.804687,1.328125 0.714843,-2.148437 -1.824219,-1.359375 h 2.238282 l 0.675781,-2.101563 z m 0,0"
+     style="fill:#fff000;fill-opacity:1;fill-rule:evenodd;stroke:none" />
+  <path
+     inkscape:connector-curvature="0"
+     id="path243"
+     d="m 30.222656,22.019531 h 2.25 l -1.8125,1.355469 0.703125,2.152344 -1.804687,-1.324219 -1.800782,1.324219 L 28.46875,23.375 26.640625,22.019531 h 2.242187 l 0.675782,-2.097656 z m 0,0"
+     style="fill:#fff000;fill-opacity:1;fill-rule:evenodd;stroke:none" />
+  <path
+     inkscape:connector-curvature="0"
+     id="path245"
+     d="m 27.921875,30.617188 h 2.238281 l -1.800781,1.359374 0.699219,2.152344 -1.800782,-1.324218 -1.800781,1.324218 0.707031,-2.152344 -1.824218,-1.359374 h 2.238281 l 0.679687,-2.097657 z m 0,0"
+     style="fill:#fff000;fill-opacity:1;fill-rule:evenodd;stroke:none" />
+  <path
+     inkscape:connector-curvature="0"
+     id="path247"
+     d="m 30.222656,39.484375 h 2.25 l -1.8125,1.355469 0.703125,2.152344 -1.804687,-1.324219 -1.800782,1.324219 0.710938,-2.152344 -1.828125,-1.355469 h 2.242187 l 0.675782,-2.097656 z m 0,0"
+     style="fill:#fff000;fill-opacity:1;fill-rule:evenodd;stroke:none" />
+  <path
+     inkscape:connector-curvature="0"
+     id="path249"
+     d="m 36.519531,45.78125 h 2.246094 l -1.8125,1.359375 0.703125,2.148437 -1.800781,-1.324218 -1.804688,1.324218 0.710938,-2.148437 L 32.9375,45.78125 h 2.238281 l 0.679688,-2.105469 z m 0,0"
+     style="fill:#fff000;fill-opacity:1;fill-rule:evenodd;stroke:none" />
+  <path
+     inkscape:connector-curvature="0"
+     id="path251"
+     d="m 126.99609,16.121094 c 6.08203,0.5625 11.6836,2.550781 16.53125,5.597656 0.004,0.0078 0.13282,0.09375 0.33203,0.222656 -6.12109,-8.734375 -15.99609,-14.851562 -27.5664,-15.925781 -10.12891,-0.933594 -19.671876,2.167969 -27.007814,7.949219 5.566406,1.105468 10.460938,3.902344 14.187504,7.789062 6.76562,-4.265625 14.9414,-6.425781 23.52343,-5.632812"
+     style="fill:#2678c7;fill-opacity:1;fill-rule:evenodd;stroke:none" />
+  <path
+     inkscape:connector-curvature="0"
+     id="path253"
+     d="m 150.40234,40.070312 c -0.004,0 -0.004,-0.0039 -0.004,-0.0039 0,0.01953 0.004,0.03516 0.004,0.05078 0,-0.01563 0,-0.03125 0,-0.04688"
+     style="fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:none" />
+  <path
+     inkscape:connector-curvature="0"
+     id="path255"
+     d="m 150.43359,40.496094 c -0.008,-0.117188 -0.0508,-0.640625 -0.0586,-0.746094 -0.57031,-6.523438 -2.87891,-12.628906 -6.51563,-17.808594 -0.19921,-0.128906 -0.32812,-0.214844 -0.33203,-0.222656 -4.84765,-3.046875 -10.44922,-5.035156 -16.53125,-5.597656 -8.58203,-0.792969 -16.75781,1.367187 -23.52343,5.632812 4.1875,4.371094 6.90234,10.109375 7.42968,16.398438 0.13282,1.5625 0.13282,3.167968 -0.0156,4.792968 -0.23438,2.542969 -0.81641,4.976563 -1.69531,7.242188 -1.58985,4.136719 -4.16797,7.75 -7.41016,10.589844 l 0.0547,-0.05078 C 114.3125,53.5 129.77734,50.390625 145.01953,52.703125 143.63672,54.007812 141.55859,55.121094 139.87109,56 c 2.0586,-0.539062 9.29688,-3.429688 9.40235,-3.648438 0,0 0.008,-0.0039 0.008,-0.0039 h -0.008 c 0,0 1.6914,-5.472656 1.16015,-11.851562"
+     style="fill:#211e1e;fill-opacity:1;fill-rule:evenodd;stroke:none" />
+  <path
+     inkscape:connector-curvature="0"
+     id="path257"
+     d="m 149.76562,39.636719 c -4.82421,-3.265625 -8.80078,-5.238281 -17.20312,-6.019531 -6.39062,-0.589844 -12.55469,0.453124 -18.07031,2.785156 0.14062,1.542968 0.15234,3.121094 0.004,4.71875 -0.71875,7.753906 -4.84375,14.359375 -10.76171,18.503906 15.30078,-8.800781 29.20703,-9.976562 40.98828,-8.175781 0.78125,0.121093 3.20312,0.539062 4.32421,0.835937 1.36719,-6.898437 0.89063,-11.460937 0.71875,-12.648437"
+     style="fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:none" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-1"
+     x="118.2271"
+     y="68.5681"
+     id="use259"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-12"
+     x="123.50107"
+     y="68.5681"
+     id="use261"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-18"
+     x="127.89736"
+     y="68.5681"
+     id="use263"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-10"
+     x="131.85086"
+     y="68.5681"
+     id="use265"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-9"
+     x="134.04901"
+     y="68.5681"
+     id="use267"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-10"
+     x="101.9633"
+     y="76.605698"
+     id="use271"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-2"
+     x="104.16145"
+     y="76.605698"
+     id="use273"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-15"
+     x="108.55774"
+     y="76.605698"
+     id="use275"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-12"
+     x="110.3131"
+     y="76.605698"
+     id="use277"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-19"
+     x="114.70938"
+     y="76.605698"
+     id="use279"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-9"
+     x="118.66289"
+     y="76.605698"
+     id="use281"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-20"
+     x="120.41824"
+     y="76.605698"
+     id="use283"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-2"
+     x="124.37173"
+     y="76.605698"
+     id="use285"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-7"
+     x="128.76804"
+     y="76.605698"
+     id="use287"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-21"
+     x="130.96617"
+     y="76.605698"
+     id="use289"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-12"
+     x="135.36247"
+     y="76.605698"
+     id="use291"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-6"
+     x="139.75876"
+     y="76.605698"
+     id="use293"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-20"
+     x="144.15504"
+     y="76.605698"
+     id="use295"
+     width="100%"
+     height="100%" />
+  <use
+     style="fill:#211e1e;fill-opacity:1"
+     xlink:href="#glyph0-18"
+     x="148.10855"
+     y="76.605698"
+     id="use297"
+     width="100%"
+     height="100%" />
+</svg>
diff --git a/example/src/main/resources/static/index.html b/example/src/main/resources/static/index.html
new file mode 100644
index 0000000..4ccc697
--- /dev/null
+++ b/example/src/main/resources/static/index.html
@@ -0,0 +1,150 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8"/>
+    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"/>
+    <title>Web eID test page</title>
+    <link
+            href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css"
+            rel="stylesheet"
+            crossorigin="anonymous"
+    />
+    <link
+            href="/css/main.css"
+            rel="stylesheet"
+    />
+</head>
+<body class="m-4">
+<div class="container">
+    <div class="row justify-content-md-center">
+        <div class="col-xs-12 col-md-8">
+            <h2>Web eID test page</h2>
+            <p>
+                The Web eID project enables usage of European Union electronic identity (eID) smart cards for
+                secure authentication and digital signing of documents on the web using public-key cryptography.
+            </p>
+            <p>Estonian, Finnish, Latvian and Lithuanian eID cards are supported, but only Estonian eID card support
+                is currently enabled in this test service.</p>
+            <p>
+                Technical overview of the solution is available in the project
+                <a href="https://github.com/open-eid/browser-extensions2">system architecture document</a>.
+            </p>
+
+            <hr/>
+            <h4>Testing</h4>
+            <p>
+                Instructions for testing in Firefox, Chrome, Edge or Opera (support for Safari has been already
+                added as well, but it is not yet published):
+            </p>
+            <ol>
+                <li>Currently you need an Estonian eID test card for testing, and
+                    the authentication and signing certificates of the test card must be uploaded to the
+                    <a href="https://demo.sk.ee/upload_cert/index.php">demo.sk.ee OCSP responder database</a>.
+                </li>
+                <li>
+                    Download and install the Web eID native app:
+                    <ul>
+                        <li>
+                            for Ubuntu Linux 20.04 from <a href="/files/web-eid_0.9.3.869_amd64.deb">here</a>
+                        </li>
+                        <li>for macOS 10.13 or later from <a href="/files/web-eid-0.9.3.869.pkg">here</a></li>
+                        <li>for Windows 10 from <a href="/files/web-eid-0.9.3.869.x64.msi">here</a>.</li>
+                    </ul>
+                </li>
+                <li>
+                    The installer will install the browser extension for Chrome and Edge automatically.
+                    The extension must be manually enabled in Edge and may require manual enabling in Chrome
+                    as well under certain circumstances.
+                </li>
+                <li>The installer will also install the browser extension for Firefox automatically in
+                    Ubuntu Linux and macOS. In Windows, the Firefox browser extension has to be manually
+                    installed:
+                    <ul>
+                        <li>download the extension from <a href="/files/firefox/web-eid-webextension-0.9.1.xpi">here</a>
+                        </li>
+                        <li>in Firefox, open the Firefox menu and click <i>Add-ons</i></li>
+                        <li>from the settings cog, open <i>Install Add-on From File</i></li>
+                        <li>browse to and open the XPI file from the location where it was saved</li>
+                        <li>When prompted click <i>Add</i></li>
+                    </ul>
+                </li>
+                <li>
+                    Attach a smart card reader to the computer and insert the eID card into the reader.
+                </li>
+                <li>Click <i>Authenticate</i> below.</li>
+            </ol>
+            <div id="error-message" class="alert alert-danger" style="display: none;" role="alert">
+                <div class="message"></div>
+                <pre class="details"></pre>
+            </div>
+            <p class="text-center p-4">
+                <button id="webeid-auth-button" class="btn btn-info">Authenticate</button>
+            </p>
+
+            <hr/>
+            <h4>Debugging and logs</h4>
+            <ul>
+                <li>
+                    To debug the extension, open the extension page and select
+                    <i>Inspect</i> to open browser developer tools in extension mode. You can examine extension
+                    logs in the <i>Console</i> tab, put breakpoints in extension code in the <i>Debugger</i> tab
+                    and inspect extension network communication in the <i>Network</i> tab.
+                </li>
+                <li>
+                    The native app logs are stored in
+                    <ul>
+                        <li><code>~/.local/share/RIA/web-eid/web-eid.log</code> in Linux</li>
+                        <li><code>~/Library/Application Support/RIA/web-eid/web-eid.log</code> in macOS</li>
+                        <li>
+                            <code>C:/Users/&lt;USER&gt;/AppData/Local/RIA/web-eid/web-eid.log</code> in Windows.
+                        </li>
+                    </ul>
+                </li>
+            </ul>
+        </div>
+    </div>
+</div>
+
+<div class="eu-logo-fixed" onmouseout="this.style.display = 'none'">
+    <img src="/img/eu-fund-flags.svg" alt="EU fund flags">
+</div>
+
+<script type="module">
+    "use strict";
+    import * as webeid from "/js/web-eid-0.9.0.js";
+    import {hideErrorMessage, showErrorMessage} from "/js/error-message.js";
+
+    hideErrorMessage();
+
+    const authButton = document.querySelector("#webeid-auth-button");
+
+    authButton.addEventListener("click", async () => {
+        const options = {
+            getAuthChallengeUrl: window.location.origin + "/auth/challenge",
+            postAuthTokenUrl: window.location.origin + "/auth/login"
+        };
+
+        hideErrorMessage();
+        authButton.disabled = true;
+
+        try {
+            const response = await webeid.authenticate(options);
+
+            console.log("Authentication successful! Response:", response);
+            window.location.href = "/welcome";
+        } catch (error) {
+            showErrorMessage(error);
+            throw error;
+        } finally {
+            authButton.disabled = false;
+        }
+    });
+
+    document.addEventListener('DOMContentLoaded', function () {
+        setTimeout(function () {
+            document.querySelector(".eu-logo-fixed").style.display = 'none'
+        }, 7000)
+    });
+</script>
+</body>
+</html>
diff --git a/example/src/main/resources/static/js/error-message.js b/example/src/main/resources/static/js/error-message.js
new file mode 100644
index 0000000..840b942
--- /dev/null
+++ b/example/src/main/resources/static/js/error-message.js
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 2020 The Web eID Project
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+"use strict";
+
+const alertUi = {
+    alert: document.querySelector("#error-message"),
+    alertMessage: document.querySelector("#error-message .message"),
+    alertDetails: document.querySelector("#error-message .details")
+};
+
+export function hideErrorMessage() {
+    alertUi.alert.style.display = "none";
+}
+
+export function showErrorMessage(error) {
+    const message = "Authentication failed";
+    const details =
+        `[Code]\n${error.code}` +
+        `\n\n[Message]\n${error.message}` +
+        (error.response ? `\n\n[response]\n${JSON.stringify(error.response, null, " ")}` : "");
+
+    alertUi.alertMessage.innerText = message;
+    alertUi.alertDetails.innerText = details;
+    alertUi.alert.style.display = "block";
+}
diff --git a/example/src/main/resources/static/js/web-eid-0.9.0.js b/example/src/main/resources/static/js/web-eid-0.9.0.js
new file mode 100644
index 0000000..b5b7419
--- /dev/null
+++ b/example/src/main/resources/static/js/web-eid-0.9.0.js
@@ -0,0 +1,521 @@
+/*
+ * Copyright (c) 2020 The Web eID Project
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+var config = Object.freeze({
+    VERSION: "0.9.0",
+    EXTENSION_HANDSHAKE_TIMEOUT: 1000,
+    NATIVE_APP_HANDSHAKE_TIMEOUT: 5 * 1000,
+    DEFAULT_USER_INTERACTION_TIMEOUT: 2 * 60 * 1000,
+    DEFAULT_SERVER_REQUEST_TIMEOUT: 20 * 1000,
+});
+
+var ErrorCode;
+(function (ErrorCode) {
+    // Timeout errors
+    ErrorCode["ERR_WEBEID_ACTION_TIMEOUT"] = "ERR_WEBEID_ACTION_TIMEOUT";
+    ErrorCode["ERR_WEBEID_USER_TIMEOUT"] = "ERR_WEBEID_USER_TIMEOUT";
+    ErrorCode["ERR_WEBEID_SERVER_TIMEOUT"] = "ERR_WEBEID_SERVER_TIMEOUT";
+    // Health errors
+    ErrorCode["ERR_WEBEID_VERSION_MISMATCH"] = "ERR_WEBEID_VERSION_MISMATCH";
+    ErrorCode["ERR_WEBEID_VERSION_INVALID"] = "ERR_WEBEID_VERSION_INVALID";
+    ErrorCode["ERR_WEBEID_EXTENSION_UNAVAILABLE"] = "ERR_WEBEID_EXTENSION_UNAVAILABLE";
+    ErrorCode["ERR_WEBEID_NATIVE_UNAVAILABLE"] = "ERR_WEBEID_NATIVE_UNAVAILABLE";
+    ErrorCode["ERR_WEBEID_UNKNOWN_ERROR"] = "ERR_WEBEID_UNKNOWN_ERROR";
+    // Security errors
+    ErrorCode["ERR_WEBEID_CONTEXT_INSECURE"] = "ERR_WEBEID_CONTEXT_INSECURE";
+    ErrorCode["ERR_WEBEID_PROTOCOL_INSECURE"] = "ERR_WEBEID_PROTOCOL_INSECURE";
+    ErrorCode["ERR_WEBEID_TLS_CONNECTION_BROKEN"] = "ERR_WEBEID_TLS_CONNECTION_BROKEN";
+    ErrorCode["ERR_WEBEID_TLS_CONNECTION_INSECURE"] = "ERR_WEBEID_TLS_CONNECTION_INSECURE";
+    ErrorCode["ERR_WEBEID_TLS_CONNECTION_WEAK"] = "ERR_WEBEID_TLS_CONNECTION_WEAK";
+    ErrorCode["ERR_WEBEID_CERTIFICATE_CHANGED"] = "ERR_WEBEID_CERTIFICATE_CHANGED";
+    ErrorCode["ERR_WEBEID_ORIGIN_MISMATCH"] = "ERR_WEBEID_ORIGIN_MISMATCH";
+    // Third party errors
+    ErrorCode["ERR_WEBEID_SERVER_REJECTED"] = "ERR_WEBEID_SERVER_REJECTED";
+    ErrorCode["ERR_WEBEID_USER_CANCELLED"] = "ERR_WEBEID_USER_CANCELLED";
+    ErrorCode["ERR_WEBEID_NATIVE_FATAL"] = "ERR_WEBEID_NATIVE_FATAL";
+    // Developer mistakes
+    ErrorCode["ERR_WEBEID_ACTION_PENDING"] = "ERR_WEBEID_ACTION_PENDING";
+    ErrorCode["ERR_WEBEID_MISSING_PARAMETER"] = "ERR_WEBEID_MISSING_PARAMETER";
+})(ErrorCode || (ErrorCode = {}));
+var ErrorCode$1 = ErrorCode;
+
+var Action;
+(function (Action) {
+    Action["STATUS"] = "web-eid:status";
+    Action["STATUS_ACK"] = "web-eid:status-ack";
+    Action["STATUS_SUCCESS"] = "web-eid:status-success";
+    Action["STATUS_FAILURE"] = "web-eid:status-failure";
+    Action["AUTHENTICATE"] = "web-eid:authenticate";
+    Action["AUTHENTICATE_ACK"] = "web-eid:authenticate-ack";
+    Action["AUTHENTICATE_SUCCESS"] = "web-eid:authenticate-success";
+    Action["AUTHENTICATE_FAILURE"] = "web-eid:authenticate-failure";
+    Action["SIGN"] = "web-eid:sign";
+    Action["SIGN_ACK"] = "web-eid:sign-ack";
+    Action["SIGN_SUCCESS"] = "web-eid:sign-success";
+    Action["SIGN_FAILURE"] = "web-eid:sign-failure";
+})(Action || (Action = {}));
+var Action$1 = Action;
+
+class CertificateChangedError extends Error {
+    constructor(message = "server certificate changed between requests") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_CERTIFICATE_CHANGED;
+    }
+}
+
+class OriginMismatchError extends Error {
+    constructor(message = "URLs for a single operation require the same origin") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_ORIGIN_MISMATCH;
+    }
+}
+
+const SECURE_CONTEXTS_INFO_URL = "https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts";
+class ContextInsecureError extends Error {
+    constructor(message = "Secure context required, see " + SECURE_CONTEXTS_INFO_URL) {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_CONTEXT_INSECURE;
+    }
+}
+
+class ExtensionUnavailableError extends Error {
+    constructor(message = "Web-eID extension is not available") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_EXTENSION_UNAVAILABLE;
+    }
+}
+
+class ActionPendingError extends Error {
+    constructor(message = "same action for Web-eID browser extension is already pending") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_ACTION_PENDING;
+    }
+}
+
+class NativeFatalError extends Error {
+    constructor(message = "native application terminated with a fatal error") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_NATIVE_FATAL;
+    }
+}
+
+class NativeUnavailableError extends Error {
+    constructor(message = "Web-eID native application is not available") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_NATIVE_UNAVAILABLE;
+    }
+}
+
+class ServerRejectedError extends Error {
+    constructor(message = "server rejected the request") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_SERVER_REJECTED;
+    }
+}
+
+class UserTimeoutError extends Error {
+    constructor(message = "user failed to respond in time") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_USER_TIMEOUT;
+    }
+}
+
+class UserCancelledError extends Error {
+    constructor(message = "request was cancelled by the user") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_USER_CANCELLED;
+    }
+}
+
+function tmpl(strings, requiresUpdate) {
+    return `Update required for Web-eID ${requiresUpdate}`;
+}
+class VersionMismatchError extends Error {
+    constructor(message, versions, requiresUpdate) {
+        if (!message) {
+            if (!requiresUpdate) {
+                message = "requiresUpdate not provided";
+            }
+            else if (requiresUpdate.extension && requiresUpdate.nativeApp) {
+                message = tmpl `${"extension and native app"}`;
+            }
+            else if (requiresUpdate.extension) {
+                message = tmpl `${"extension"}`;
+            }
+            else if (requiresUpdate.nativeApp) {
+                message = tmpl `${"native app"}`;
+            }
+        }
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_VERSION_MISMATCH;
+        this.requiresUpdate = requiresUpdate;
+        if (versions) {
+            const { library, extension, nativeApp } = versions;
+            Object.assign(this, { library, extension, nativeApp });
+        }
+    }
+}
+
+class TlsConnectionBrokenError extends Error {
+    constructor(message = "TLS connection was broken") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_TLS_CONNECTION_BROKEN;
+    }
+}
+
+class TlsConnectionInsecureError extends Error {
+    constructor(message = "TLS connection was insecure") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_TLS_CONNECTION_INSECURE;
+    }
+}
+
+class TlsConnectionWeakError extends Error {
+    constructor(message = "TLS connection was weak") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_TLS_CONNECTION_WEAK;
+    }
+}
+
+class ProtocolInsecureError extends Error {
+    constructor(message = "HTTPS required") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_PROTOCOL_INSECURE;
+    }
+}
+
+class ActionTimeoutError extends Error {
+    constructor(message = "extension message timeout") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_ACTION_TIMEOUT;
+    }
+}
+
+class VersionInvalidError extends Error {
+    constructor(message = "invalid version string") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_VERSION_INVALID;
+    }
+}
+
+class ServerTimeoutError extends Error {
+    constructor(message = "server failed to respond in time") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_SERVER_TIMEOUT;
+    }
+}
+
+class UnknownError extends Error {
+    constructor(message = "an unknown error occurred") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_UNKNOWN_ERROR;
+    }
+}
+
+const errorCodeToErrorClass = {
+    [ErrorCode$1.ERR_WEBEID_ACTION_PENDING]: ActionPendingError,
+    [ErrorCode$1.ERR_WEBEID_ACTION_TIMEOUT]: ActionTimeoutError,
+    [ErrorCode$1.ERR_WEBEID_CERTIFICATE_CHANGED]: CertificateChangedError,
+    [ErrorCode$1.ERR_WEBEID_ORIGIN_MISMATCH]: OriginMismatchError,
+    [ErrorCode$1.ERR_WEBEID_CONTEXT_INSECURE]: ContextInsecureError,
+    [ErrorCode$1.ERR_WEBEID_EXTENSION_UNAVAILABLE]: ExtensionUnavailableError,
+    [ErrorCode$1.ERR_WEBEID_NATIVE_FATAL]: NativeFatalError,
+    [ErrorCode$1.ERR_WEBEID_NATIVE_UNAVAILABLE]: NativeUnavailableError,
+    [ErrorCode$1.ERR_WEBEID_PROTOCOL_INSECURE]: ProtocolInsecureError,
+    [ErrorCode$1.ERR_WEBEID_SERVER_REJECTED]: ServerRejectedError,
+    [ErrorCode$1.ERR_WEBEID_SERVER_TIMEOUT]: ServerTimeoutError,
+    [ErrorCode$1.ERR_WEBEID_TLS_CONNECTION_BROKEN]: TlsConnectionBrokenError,
+    [ErrorCode$1.ERR_WEBEID_TLS_CONNECTION_INSECURE]: TlsConnectionInsecureError,
+    [ErrorCode$1.ERR_WEBEID_TLS_CONNECTION_WEAK]: TlsConnectionWeakError,
+    [ErrorCode$1.ERR_WEBEID_USER_CANCELLED]: UserCancelledError,
+    [ErrorCode$1.ERR_WEBEID_USER_TIMEOUT]: UserTimeoutError,
+    [ErrorCode$1.ERR_WEBEID_VERSION_INVALID]: VersionInvalidError,
+    [ErrorCode$1.ERR_WEBEID_VERSION_MISMATCH]: VersionMismatchError,
+};
+function deserializeError(errorObject) {
+    let error;
+    if (typeof errorObject.code == "string" && errorObject.code in errorCodeToErrorClass) {
+        const CustomError = errorCodeToErrorClass[errorObject.code];
+        error = new CustomError();
+    }
+    else {
+        error = new UnknownError();
+    }
+    for (const [key, value] of Object.entries(errorObject)) {
+        error[key] = value;
+    }
+    return error;
+}
+
+class WebExtensionService {
+    constructor() {
+        this.queue = [];
+        window.addEventListener("message", (event) => this.receive(event));
+    }
+    receive(event) {
+        var _a, _b, _c, _d;
+        const message = event.data;
+        const suffix = (_b = (_a = message.action) === null || _a === void 0 ? void 0 : _a.match(/success$|failure$|ack$/)) === null || _b === void 0 ? void 0 : _b[0];
+        const initialAction = this.getInitialAction(message.action);
+        const pending = this.getPendingMessage(initialAction);
+        if (suffix === "ack") {
+            console.log("ack message", message);
+            console.log("ack pending", pending === null || pending === void 0 ? void 0 : pending.message.action);
+            console.log("ack queue", JSON.stringify(this.queue));
+        }
+        if (pending) {
+            switch (suffix) {
+                case "ack": {
+                    clearTimeout(pending.ackTimer);
+                    break;
+                }
+                case "success": {
+                    (_c = pending.resolve) === null || _c === void 0 ? void 0 : _c.call(pending, message);
+                    this.removeFromQueue(initialAction);
+                    break;
+                }
+                case "failure": {
+                    (_d = pending.reject) === null || _d === void 0 ? void 0 : _d.call(pending, message.error ? deserializeError(message.error) : message);
+                    this.removeFromQueue(initialAction);
+                    break;
+                }
+            }
+        }
+    }
+    send(message, timeout) {
+        if (this.getPendingMessage(message.action)) {
+            return Promise.reject(new ActionPendingError());
+        }
+        else if (!window.isSecureContext) {
+            return Promise.reject(new ContextInsecureError());
+        }
+        else {
+            const pending = { message };
+            this.queue.push(pending);
+            pending.promise = new Promise((resolve, reject) => {
+                pending.resolve = resolve;
+                pending.reject = reject;
+            });
+            pending.ackTimer = setTimeout(() => this.onAckTimeout(pending), config.EXTENSION_HANDSHAKE_TIMEOUT);
+            pending.replyTimer = setTimeout(() => this.onReplyTimeout(pending), timeout);
+            window.postMessage(message, "*");
+            return pending.promise;
+        }
+    }
+    onReplyTimeout(pending) {
+        var _a;
+        console.log("onReplyTimeout", pending.message.action);
+        (_a = pending.reject) === null || _a === void 0 ? void 0 : _a.call(pending, new ActionTimeoutError());
+        this.removeFromQueue(pending.message.action);
+    }
+    onAckTimeout(pending) {
+        var _a;
+        console.log("onAckTimeout", pending.message.action);
+        (_a = pending.reject) === null || _a === void 0 ? void 0 : _a.call(pending, new ExtensionUnavailableError());
+        clearTimeout(pending.replyTimer);
+    }
+    getPendingMessage(action) {
+        return this.queue.find((pm) => {
+            return pm.message.action === action;
+        });
+    }
+    getSuccessAction(action) {
+        return `${action}-success`;
+    }
+    getFailureAction(action) {
+        return `${action}-failure`;
+    }
+    getInitialAction(action) {
+        return action.replace(/-success$|-failure$|-ack$/, "");
+    }
+    removeFromQueue(action) {
+        const pending = this.getPendingMessage(action);
+        clearTimeout(pending === null || pending === void 0 ? void 0 : pending.replyTimer);
+        this.queue = this.queue.filter((pending) => (pending.message.action !== action));
+    }
+}
+
+const semverPattern = new RegExp("^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)" +
+    "(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$");
+var IdentifierDiff;
+(function (IdentifierDiff) {
+    IdentifierDiff[IdentifierDiff["NEWER"] = 1] = "NEWER";
+    IdentifierDiff[IdentifierDiff["SAME"] = 0] = "SAME";
+    IdentifierDiff[IdentifierDiff["OLDER"] = -1] = "OLDER";
+})(IdentifierDiff || (IdentifierDiff = {}));
+function parseSemver(string = "") {
+    const result = string.match(semverPattern);
+    const [, majorStr, minorStr, patchStr, rc, build] = result ? result : [];
+    const major = parseInt(majorStr, 10);
+    const minor = parseInt(minorStr, 10);
+    const patch = parseInt(patchStr, 10);
+    for (const indentifier of [major, minor, patch]) {
+        if (Number.isNaN(indentifier)) {
+            throw new VersionInvalidError(`Invalid SemVer string '${string}'`);
+        }
+    }
+    return { major, minor, patch, rc, build, string };
+}
+/**
+ * Compares two Semver objects.
+ *
+ * @param {Semver} a First SemVer object
+ * @param {Semver} b Second Semver object
+ *
+ * @returns {SemverDiff} Diff for major, minor and patch.
+ */
+function compareSemver(a, b) {
+    return {
+        major: Math.sign(a.major - b.major),
+        minor: Math.sign(a.minor - b.minor),
+        patch: Math.sign(a.patch - b.patch),
+    };
+}
+
+/**
+ * Checks if update is required.
+ *
+ * @param version Object containing SemVer version strings for library, extension and native app.
+ *
+ * @returns Object which specifies if the extension or native app should be updated.
+ */
+function checkCompatibility(version) {
+    const library = parseSemver(version.library);
+    const extension = parseSemver(version.extension);
+    const nativeApp = parseSemver(version.nativeApp);
+    const extensionDiff = compareSemver(extension, library);
+    const nativeAppDiff = compareSemver(nativeApp, library);
+    return {
+        extension: extensionDiff.major === IdentifierDiff.OLDER,
+        nativeApp: nativeAppDiff.major === IdentifierDiff.OLDER,
+    };
+}
+/**
+ * Checks an object if 'library', 'extension' or 'nativeApp' properties are present.
+ * Values are not checked for SemVer validity.
+ *
+ * @param object Object which will be checked for version properties.
+ *
+ * @returns Were any of the version properties found in the provided object.
+ */
+function hasVersionProperties(object) {
+    if (typeof object === "object") {
+        for (const prop of ["library", "extension", "nativeApp"]) {
+            if (Object.hasOwnProperty.call(object, prop))
+                return true;
+        }
+    }
+    return false;
+}
+
+class MissingParameterError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_MISSING_PARAMETER;
+    }
+}
+
+function defer() {
+    return new Promise((resolve) => setTimeout(resolve));
+}
+
+const webExtensionService = new WebExtensionService();
+async function status() {
+    await defer(); // Give chrome a moment to load the extension content script
+    let statusResponse;
+    const library = config.VERSION;
+    const timeout = config.EXTENSION_HANDSHAKE_TIMEOUT + config.NATIVE_APP_HANDSHAKE_TIMEOUT;
+    const message = { action: Action$1.STATUS };
+    try {
+        statusResponse = await webExtensionService.send(message, timeout);
+    }
+    catch (error) {
+        error.library = library;
+        throw error;
+    }
+    const versions = { library, ...statusResponse };
+    const requiresUpdate = checkCompatibility(versions);
+    if (requiresUpdate.extension || requiresUpdate.nativeApp) {
+        throw new VersionMismatchError(undefined, versions, requiresUpdate);
+    }
+    return versions;
+}
+async function authenticate(options) {
+    await defer(); // Give chrome a moment to load the extension content script
+    if (typeof options != "object") {
+        throw new MissingParameterError("authenticate function requires an options object as parameter");
+    }
+    if (!options.getAuthChallengeUrl) {
+        throw new MissingParameterError("getAuthChallengeUrl missing from authenticate options");
+    }
+    if (!options.postAuthTokenUrl) {
+        throw new MissingParameterError("postAuthTokenUrl missing from authenticate options");
+    }
+    const timeout = (config.EXTENSION_HANDSHAKE_TIMEOUT +
+        config.NATIVE_APP_HANDSHAKE_TIMEOUT +
+        (options.serverRequestTimeout || config.DEFAULT_SERVER_REQUEST_TIMEOUT) * 2 +
+        (options.userInteractionTimeout || config.DEFAULT_USER_INTERACTION_TIMEOUT));
+    const message = { ...options, action: Action$1.AUTHENTICATE };
+    const result = await webExtensionService.send(message, timeout);
+    return result.response;
+}
+async function sign(options) {
+    await defer(); // Give chrome a moment to load the extension content script
+    if (typeof options != "object") {
+        throw new MissingParameterError("sign function requires an options object as parameter");
+    }
+    if (!options.postPrepareSigningUrl) {
+        throw new MissingParameterError("postPrepareSigningUrl missing from sign options");
+    }
+    if (!options.postFinalizeSigningUrl) {
+        throw new MissingParameterError("postFinalizeSigningUrl missing from sign options");
+    }
+    const timeout = (config.EXTENSION_HANDSHAKE_TIMEOUT +
+        config.NATIVE_APP_HANDSHAKE_TIMEOUT +
+        (options.serverRequestTimeout || config.DEFAULT_SERVER_REQUEST_TIMEOUT) * 2 +
+        (options.userInteractionTimeout || config.DEFAULT_USER_INTERACTION_TIMEOUT) * 2);
+    const message = { ...options, action: Action$1.SIGN };
+    const result = await webExtensionService.send(message, timeout);
+    return result.response;
+}
+
+export { Action$1 as Action, ErrorCode$1 as ErrorCode, authenticate, config, hasVersionProperties, sign, status };
diff --git a/example/src/main/resources/templates/welcome.html b/example/src/main/resources/templates/welcome.html
new file mode 100644
index 0000000..c28462e
--- /dev/null
+++ b/example/src/main/resources/templates/welcome.html
@@ -0,0 +1,143 @@
+<!DOCTYPE html>
+<html lang="en" xmlns:th="http://www.thymeleaf.org">
+    <head>
+        <meta charset="UTF-8" />
+        <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" />
+        <title>Welcome!</title>
+        <link
+            href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css"
+            rel="stylesheet"
+            crossorigin="anonymous"
+        />
+        <link
+            href="/css/main.css"
+            rel="stylesheet"
+        />
+    </head>
+    <body class="m-4">
+        <div class="container">
+            <div class="row justify-content-md-center">
+                <div class="col-xs-12 col-md-8" style="padding-top: 3rem;">
+                    <div style="text-align: center;">
+                        <h2 class="adding-signature">Adding Signature</h2>
+                        <p th:text="'Welcome, ' + ${principalName} + '!'" class="welcome-line"></p>
+                    </div>
+                    <div id="file-name"></div>
+                    <div id="file-drop-area">
+                        <div>Drag file here for signing...</div>
+                        <p class="text-center p-4" style="padding-top: 2rem !important;">
+                            <label for="webeid-upload-file" class="btn btn-info" style="cursor: pointer;">... or load file from disk</label>
+                            <input id="webeid-upload-file" type="file" name="file" style="display: none">
+                        </p>
+                    </div>
+                    <p class="text-center p-4">
+                        <button id="webeid-sign-button" class="btn btn-info" style="display: none;">Sign container</button>
+                        <button id="webeid-download-button" class="btn btn-success" style="display: none;">Download container</button>
+                    </p>
+                </div>
+                <button id="webeid-logout-button" class="btn btn-info">Logout</button>
+            </div>
+        </div>
+        <div id="error-message" class="alert alert-danger" style="display: none;" role="alert">
+            <div class="message"></div>
+            <pre class="details"></pre>
+        </div>
+
+        <script type="module">
+            "use strict";
+            import * as webeid from "/js/web-eid-0.9.0.js";
+            import { hideErrorMessage, showErrorMessage } from "/js/error-message.js";
+
+            const signButton = document.querySelector("#webeid-sign-button");
+            const downloadButton = document.querySelector("#webeid-download-button");
+
+            const fileUploadArea = document.querySelector("#file-drop-area");
+            const fileUploadInput = document.querySelector("#webeid-upload-file");
+            const fileNameText = document.querySelector("#file-name");
+
+            fileUploadArea.classList.add( 'has-advanced-upload' );
+
+            ['drag', 'dragstart', 'dragend', 'dragover', 'dragenter', 'dragleave', 'drop'].forEach( function( event )
+            {
+                fileUploadArea.addEventListener( event, function( e )
+                {
+                    // preventing the unwanted behaviours
+                    e.preventDefault();
+                    e.stopPropagation();
+                });
+            });
+            ['dragover', 'dragenter'].forEach( function( event )
+            {
+                fileUploadArea.addEventListener( event, function()
+                {
+                    fileUploadArea.classList.add('is-dragover');
+                });
+            });
+            ['dragleave', 'dragend', 'drop'].forEach( function( event )
+            {
+                fileUploadArea.addEventListener( event, function()
+                {
+                    fileUploadArea.classList.remove('is-dragover');
+                });
+            });
+
+            async function uploadFile(file) {
+                const formData  = new FormData();
+                formData.append("file", file)
+
+                const response = await fetch("/sign/upload", {
+                    method: 'POST',
+                    body: formData
+                });
+
+                response.json().then(data => {
+                    signButton.removeAttribute("style");
+                    fileNameText.textContent = "File uploaded: " + data.name;
+                    downloadButton.setAttribute("style", "display: none;");
+                    fileUploadArea.setAttribute("style", "display: none;");
+                });
+            }
+
+            document.querySelector("#webeid-logout-button").addEventListener("click", async () => {
+                await fetch("/logout");
+                window.location.href = "/";
+            });
+
+            downloadButton.addEventListener("click", async () => {
+                window.location.href = "/sign/download";
+            });
+
+            fileUploadInput.addEventListener("input", async () => {
+                const firstFile = fileUploadInput.files[0];
+                await uploadFile(firstFile);
+            });
+
+            fileUploadArea.addEventListener("drop", async (e) => {
+                const firstFile = e.dataTransfer.files[0];
+                await uploadFile(firstFile);
+            })
+
+            signButton.addEventListener("click", async () => {
+                const options = {
+                    postPrepareSigningUrl: window.location.origin + "/sign/prepare",
+                    postFinalizeSigningUrl: window.location.origin + "/sign/sign"
+                };
+
+                hideErrorMessage();
+                signButton.disabled = true;
+
+                try {
+                    const response = await webeid.sign(options);
+                    signButton.setAttribute("style", "display: none;");
+                    downloadButton.removeAttribute("style");
+                    fileNameText.textContent = "Signature added: " + response.body.name;
+                } catch (error) {
+                    showErrorMessage(error);
+                    throw error;
+                } finally {
+                    signButton.disabled = false;
+                }
+            });
+        </script>
+    </body>
+</html>
diff --git a/example/src/test/java/org/webeid/example/AuthenticationRestControllerTest.java b/example/src/test/java/org/webeid/example/AuthenticationRestControllerTest.java
new file mode 100644
index 0000000..660b522
--- /dev/null
+++ b/example/src/test/java/org/webeid/example/AuthenticationRestControllerTest.java
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 2020 The Web eID Project
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package org.webeid.example;
+
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.webeid.example.security.ajax.AjaxAuthenticationSuccessHandler;
+import org.webeid.example.web.rest.ChallengeController;
+
+import javax.servlet.http.HttpSession;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+@SpringBootTest
+class AuthenticationRestControllerTest {
+    @Autowired
+    ChallengeController authRestController;
+
+    @Autowired
+    AjaxAuthenticationSuccessHandler ajaxAuthenticationSuccessHandler;
+
+    @Autowired
+    HttpSession httpSession;
+
+    @Test
+    void contextLoads() {
+        assertThat(authRestController).isNotNull();
+    }
+
+    @Test
+    void challengeNotNull() {
+        assertThat(authRestController.challenge()).isNotNull();
+    }
+
+    // TODO: add tests here
+}
diff --git a/example/src/test/java/org/webeid/example/WebApplicationTest.java b/example/src/test/java/org/webeid/example/WebApplicationTest.java
new file mode 100644
index 0000000..b86e655
--- /dev/null
+++ b/example/src/test/java/org/webeid/example/WebApplicationTest.java
@@ -0,0 +1,109 @@
+/*
+ * Copyright (c) 2020 The Web eID Project
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package org.webeid.example;
+
+import com.hazelcast.util.Base64;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Disabled;
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.http.HttpStatus;
+import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.mock.web.MockHttpSession;
+import org.springframework.test.context.web.WebAppConfiguration;
+import org.springframework.test.web.servlet.setup.DefaultMockMvcBuilder;
+import org.springframework.test.web.servlet.setup.MockMvcBuilders;
+import org.springframework.web.context.WebApplicationContext;
+import org.webeid.example.service.dto.DigestDTO;
+import org.webeid.example.testutil.Dates;
+import org.webeid.example.testutil.FakeNonce;
+import org.webeid.example.testutil.HttpHelper;
+import org.webeid.example.testutil.ObjectMother;
+
+import java.nio.charset.StandardCharsets;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+
+@SpringBootTest
+@WebAppConfiguration
+public class WebApplicationTest {
+    @Autowired
+    private WebApplicationContext context;
+
+    @Autowired
+    private javax.servlet.Filter[] springSecurityFilterChain;
+
+    private static final byte[] TEST_NONCE_BYTES = Base64.decode("a/wAFpMaXojLIaEmeOvviRNoBVqHBM/Mm9JV28ZcaIo=".getBytes(StandardCharsets.UTF_8));
+    private static DefaultMockMvcBuilder mvcBuilder;
+
+    @BeforeEach
+    public void setup() {
+        mvcBuilder = MockMvcBuilders.webAppContextSetup(context).addFilters(springSecurityFilterChain);
+    }
+
+    @Test
+    public void testRoot() throws Exception {
+        // @formatter:off
+        MockHttpServletResponse response = mvcBuilder
+            .build()
+            .perform(get("/"))
+            .andReturn()
+            .getResponse();
+        // @formatter:on
+        assertEquals(HttpStatus.OK.value(), response.getStatus());
+        System.out.println(response.getContentAsString());
+    }
+
+    @Disabled // FIXME: fix and enable
+    @Test
+    public void testHappyFlow_LoginUploadPrepareSignDownload() throws Exception {
+
+        final MockHttpSession session = new MockHttpSession();
+
+        FakeNonce.setMockedNonce(TEST_NONCE_BYTES);
+        Dates.setMockedDate(Dates.create("2020-04-14T13:36:49Z"));
+
+        mvcBuilder.build().perform(get("/auth/challenge"));
+
+        MockHttpServletResponse response = HttpHelper.login(mvcBuilder, session, ObjectMother.mockAuthToken());
+        assertEquals("{\"sub\":\"JÕEORG,JAAK-KRISTJAN,38001085718\",\"auth\":[\"ROLE_USER\"]}", response.getContentAsString());
+
+        response = HttpHelper.upload(mvcBuilder, session, ObjectMother.mockMultipartFile());
+        assertEquals(HttpStatus.OK.value(), response.getStatus());
+
+        response = HttpHelper.prepare(mvcBuilder, session, ObjectMother.mockPrepareRequest());
+        assertEquals(HttpStatus.OK.value(), response.getStatus());
+
+
+        DigestDTO digestDTO = ObjectMother.jsonStringToBean(response.getContentAsString(), DigestDTO.class);
+
+        response = HttpHelper.sign(mvcBuilder, session, ObjectMother.mockSignRequest(digestDTO.getHash()));
+        assertEquals(HttpStatus.OK.value(), response.getStatus());
+
+        response = HttpHelper.download(mvcBuilder, session, ObjectMother.mockSignRequest(digestDTO.getHash()));
+        assertEquals(HttpStatus.OK.value(), response.getStatus());
+        assertEquals("attachment; filename=test-file.asice", response.getHeader("Content-Disposition"));
+    }
+}
diff --git a/example/src/test/java/org/webeid/example/testutil/Dates.java b/example/src/test/java/org/webeid/example/testutil/Dates.java
new file mode 100644
index 0000000..3b43c8c
--- /dev/null
+++ b/example/src/test/java/org/webeid/example/testutil/Dates.java
@@ -0,0 +1,48 @@
+/*
+ * Copyright (c) 2020 The Web eID Project
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package org.webeid.example.testutil;
+
+import com.fasterxml.jackson.databind.util.StdDateFormat;
+import mockit.Mock;
+import mockit.MockUp;
+
+import java.text.ParseException;
+import java.util.Date;
+
+public final class Dates {
+    private static final StdDateFormat STD_DATE_FORMAT = new StdDateFormat();
+
+    public static Date create(String iso8601Date) throws ParseException {
+        return STD_DATE_FORMAT.parse(iso8601Date);
+    }
+
+    public static void setMockedDate(Date mockedDate) {
+        new MockUp<System>() {
+            @Mock
+            public long currentTimeMillis() {
+                return mockedDate.getTime();
+            }
+        };
+    }
+
+}
diff --git a/example/src/test/java/org/webeid/example/testutil/FakeNonce.java b/example/src/test/java/org/webeid/example/testutil/FakeNonce.java
new file mode 100644
index 0000000..c923cb9
--- /dev/null
+++ b/example/src/test/java/org/webeid/example/testutil/FakeNonce.java
@@ -0,0 +1,36 @@
+/*
+ * Copyright (c) 2020 The Web eID Project
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package org.webeid.example.testutil;
+
+public final class FakeNonce {
+
+    public static void setMockedNonce(byte[] nonce) {
+        // FIXME:
+//        new MockUp<Nonce>() {
+//            @Mock
+//            public byte[] getNonceBytes() {
+//                return nonce;
+//            }
+//        };
+    }
+}
diff --git a/example/src/test/java/org/webeid/example/testutil/HttpHelper.java b/example/src/test/java/org/webeid/example/testutil/HttpHelper.java
new file mode 100644
index 0000000..9ec2f99
--- /dev/null
+++ b/example/src/test/java/org/webeid/example/testutil/HttpHelper.java
@@ -0,0 +1,101 @@
+/*
+ * Copyright (c) 2020 The Web eID Project
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package org.webeid.example.testutil;
+
+import org.springframework.http.MediaType;
+import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.mock.web.MockHttpSession;
+import org.springframework.mock.web.MockMultipartFile;
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
+import org.springframework.test.web.servlet.setup.DefaultMockMvcBuilder;
+import org.webeid.example.security.dto.AuthTokenDTO;
+import org.webeid.example.service.dto.CertificateDTO;
+import org.webeid.example.service.dto.SignatureDTO;
+
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
+
+public class HttpHelper {
+
+    public static MockHttpServletResponse login(DefaultMockMvcBuilder mvcBuilder, MockHttpSession session, AuthTokenDTO authTokenDTO) throws Exception {
+        // @formatter:off
+        return mvcBuilder
+                .build()
+                .perform(post("/auth/login")
+                        .session(session)
+                        .contentType(MediaType.APPLICATION_JSON)
+                        .content(ObjectMother.toJson(authTokenDTO)))
+                .andReturn()
+                .getResponse();
+        // @formatter:on
+    }
+
+    public static MockHttpServletResponse upload(DefaultMockMvcBuilder mvcBuilder, MockHttpSession session, MockMultipartFile mockMultipartFile) throws Exception {
+        // @formatter:off
+        return mvcBuilder
+                .build()
+                .perform(MockMvcRequestBuilders.multipart("/sign/upload")
+                        .file(mockMultipartFile)
+                        .session(session))
+                .andReturn()
+                .getResponse();
+        // @formatter:on
+    }
+
+    public static MockHttpServletResponse prepare(DefaultMockMvcBuilder mvcBuilder, MockHttpSession session, CertificateDTO certificateDTO) throws Exception {
+        // @formatter:off
+        return mvcBuilder
+                .build()
+                .perform(post("/sign/prepare")
+                        .session(session)
+                        .contentType(MediaType.APPLICATION_JSON)
+                        .content(ObjectMother.toJson(certificateDTO)))
+                .andReturn()
+                .getResponse();
+        // @formatter:on
+    }
+
+    public static MockHttpServletResponse sign(DefaultMockMvcBuilder mvcBuilder, MockHttpSession session, SignatureDTO signatureDTO) throws Exception {
+        // @formatter:off
+        return mvcBuilder
+                .build()
+                .perform(post("/sign/sign")
+                        .session(session)
+                        .contentType(MediaType.APPLICATION_JSON)
+                        .content(ObjectMother.toJson(signatureDTO)))
+                .andReturn()
+                .getResponse();
+        // @formatter:on
+    }
+
+    public static MockHttpServletResponse download(DefaultMockMvcBuilder mvcBuilder, MockHttpSession session, SignatureDTO mockSignRequest) throws Exception {
+        // @formatter:off
+        return mvcBuilder
+                .build()
+                .perform(get("/sign/download")
+                        .session(session))
+                .andReturn()
+                .getResponse();
+        // @formatter:on
+    }
+}
diff --git a/example/src/test/java/org/webeid/example/testutil/ObjectMother.java b/example/src/test/java/org/webeid/example/testutil/ObjectMother.java
new file mode 100644
index 0000000..678b576
--- /dev/null
+++ b/example/src/test/java/org/webeid/example/testutil/ObjectMother.java
@@ -0,0 +1,141 @@
+/*
+ * Copyright (c) 2020 The Web eID Project
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package org.webeid.example.testutil;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.apache.commons.lang3.ArrayUtils;
+import org.digidoc4j.DigestAlgorithm;
+import org.digidoc4j.exceptions.DigiDoc4JException;
+import org.springframework.mock.web.MockMultipartFile;
+import org.webeid.example.security.dto.AuthTokenDTO;
+import org.webeid.example.service.dto.CertificateDTO;
+import org.webeid.example.service.dto.SignatureDTO;
+
+import javax.xml.bind.DatatypeConverter;
+import java.io.FileInputStream;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+import java.util.Base64;
+
+public class ObjectMother {
+
+    public static final String TEST_PKI_CONTAINER = "src/test/resources/signout.p12";
+    public static final String TEST_PKI_CONTAINER_PASSWORD = "test";
+    private static final ObjectMapper mapper = new ObjectMapper();
+
+    public static AuthTokenDTO mockAuthToken() throws JsonProcessingException {
+        AuthTokenDTO authToken = new AuthTokenDTO();
+        authToken.setToken(Tokens.SIGNED);
+        return authToken;
+    }
+
+    public static String toJson(Object object) throws JsonProcessingException {
+        return mapper.writeValueAsString(object);
+    }
+
+
+    public static MockMultipartFile mockMultipartFile() {
+        return new MockMultipartFile("file", "test-file.txt", "text/plain", "some xml".getBytes());
+    }
+
+    public static String mockCertificateInBase64() {
+        try {
+            X509Certificate certificate = getSigningCert();
+            byte[] derEncodedCertificate = certificate.getEncoded();
+            return DatatypeConverter.printBase64Binary(derEncodedCertificate);
+        } catch (Exception e) {
+            throw new RuntimeException("Certificate loading failed", e);
+        }
+    }
+
+    public static String mockSignatureInBase64(String digestToSign) {
+        return signDigest(DatatypeConverter.parseBase64Binary(digestToSign));
+    }
+
+    public static <T> T jsonStringToBean(String jsonString, Class<T> valueType) throws JsonProcessingException {
+        return mapper.readValue(jsonString, valueType);
+    }
+
+    public static CertificateDTO mockPrepareRequest() {
+        CertificateDTO certificateDTODTO = new CertificateDTO();
+        certificateDTODTO.setBase64String(mockCertificateInBase64());
+        return certificateDTODTO;
+    }
+
+    public static SignatureDTO mockSignRequest(String digestToSign) {
+        SignatureDTO signatureDTO = new SignatureDTO();
+        signatureDTO.setBase64Signature(mockSignatureInBase64(digestToSign));
+        return signatureDTO;
+    }
+
+    private static X509Certificate getSigningCert() {
+        try {
+            KeyStore keyStore = KeyStore.getInstance("PKCS12");
+            try (FileInputStream stream = new FileInputStream(TEST_PKI_CONTAINER)) {
+                keyStore.load(stream, TEST_PKI_CONTAINER_PASSWORD.toCharArray());
+            }
+            return (X509Certificate) keyStore.getCertificate("1");
+        } catch (Exception e) {
+            throw new RuntimeException("Loading signer cert failed");
+        }
+    }
+
+    private static byte[] sign(byte[] dataToSign) {
+        try {
+            KeyStore keyStore = KeyStore.getInstance("PKCS12");
+            try (FileInputStream stream = new FileInputStream(TEST_PKI_CONTAINER)) {
+                keyStore.load(stream, TEST_PKI_CONTAINER_PASSWORD.toCharArray());
+            }
+            PrivateKey privateKey = (PrivateKey) keyStore.getKey("1", TEST_PKI_CONTAINER_PASSWORD.toCharArray());
+            final String javaSignatureAlgorithm = "NONEwith" + privateKey.getAlgorithm();
+
+            return encrypt(javaSignatureAlgorithm, privateKey, addOID(dataToSign));
+        } catch (Exception e) {
+            throw new DigiDoc4JException("Loading private key failed");
+        }
+    }
+
+    private static byte[] addOID(byte[] digest) {
+        return ArrayUtils.addAll(DigestAlgorithm.SHA256.digestInfoPrefix(), digest);
+    }
+
+    private static byte[] encrypt(final String javaSignatureAlgorithm, final PrivateKey privateKey, final byte[] bytes) {
+        try {
+            java.security.Signature signature = java.security.Signature.getInstance(javaSignatureAlgorithm);
+            signature.initSign(privateKey);
+            signature.update(bytes);
+            return signature.sign();
+        } catch (GeneralSecurityException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    private static String signDigest(byte[] digestToSign) {
+        byte[] signatureValue = sign(digestToSign);
+        return Base64.getEncoder().encodeToString(signatureValue);
+    }
+
+}
diff --git a/example/src/test/java/org/webeid/example/testutil/Tokens.java b/example/src/test/java/org/webeid/example/testutil/Tokens.java
new file mode 100644
index 0000000..4f213ff
--- /dev/null
+++ b/example/src/test/java/org/webeid/example/testutil/Tokens.java
@@ -0,0 +1,29 @@
+/*
+ * Copyright (c) 2020 The Web eID Project
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package org.webeid.example.testutil;
+
+public class Tokens {
+
+    public static final String SIGNED =
+        "eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlFUkRDQ0E2YWdBd0lCQWdJUWF2WS81dFg4cVZKYmNxUlBML2k4VXpBS0JnZ3Foa2pPUFFRREJEQmdNUXN3Q1FZRFZRUUdFd0pGUlRFYk1Ca0dBMVVFQ2d3U1Uwc2dTVVFnVTI5c2RYUnBiMjV6SUVGVE1SY3dGUVlEVlFSaERBNU9WRkpGUlMweE1EYzBOekF4TXpFYk1Ca0dBMVVFQXd3U1ZFVlRWQ0J2WmlCRlUxUkZTVVF5TURFNE1CNFhEVEU0TURneE5EQTVORE0wTTFvWERUSXpNRGd4TWpJeE5UazFPVm93ZnpFTE1Ba0dBMVVFQmhNQ1JVVXhLakFvQmdOVkJBTU1JVXJEbFVWUFVrY3NTa0ZCU3kxTFVrbFRWRXBCVGl3ek9EQXdNVEE0TlRjeE9ERVFNQTRHQTFVRUJBd0hTc09WUlU5U1J6RVdNQlFHQTFVRUtnd05Ta0ZCU3kxTFVrbFRWRXBCVGpFYU1CZ0dBMVVFQlJNUlVFNVBSVVV0TXpnd01ERXdPRFUzTVRnd2RqQVFCZ2NxaGtqT1BRSUJCZ1VyZ1FRQUlnTmlBQVQ4akc4RXZzVVZvbVdoUXJNZ2xkVUU3QUNKR2lERklGa295SC9YRTQ2Z040SzJqWXF1NjVETGh0ZmxOMXRuWjRLT2YyYllUeUJ5N3ZmRTVMWjFrRXpLT3FCWWgxbm10cUxQb2FYdlpxYWREVktCU3UvaUxmRm43TFZtcnFDUWwraWpnZ0lFTUlJQ0FEQUpCZ05WSFJNRUFqQUFNQTRHQTFVZER3RUIvd1FFQXdJRGlEQkhCZ05WSFNBRVFEQStNRElHQ3lzR0FRUUJnNUVoQVFJQk1DTXdJUVlJS3dZQkJRVUhBZ0VXRldoMGRIQnpPaTh2ZDNkM0xuTnJMbVZsTDBOUVV6QUlCZ1lFQUk5NkFRSXdId1lEVlIwUkJCZ3dGb0VVTXpnd01ERXdPRFUzTVRoQVpXVnpkR2t1WldVd0hRWURWUjBPQkJZRUZOaUVZRHVQRnZpb1VwcFh4QXgwSUpJSVlOUmlNR0VHQ0NzR0FRVUZCd0VEQkZVd1V6QlJCZ1lFQUk1R0FRVXdSekJGRmo5b2RIUndjem92TDNOckxtVmxMMlZ1TDNKbGNHOXphWFJ2Y25rdlkyOXVaR2wwYVc5dWN5MW1iM0l0ZFhObExXOW1MV05sY25ScFptbGpZWFJsY3k4VEFrVk9NQ0FHQTFVZEpRRUIvd1FXTUJRR0NDc0dBUVVGQndNQ0JnZ3JCZ0VGQlFjREJEQWZCZ05WSFNNRUdEQVdnQlRBaEprcHhFNmZPd0kwOXBuaENsWUFDQ2srZXpCL0JnZ3JCZ0VGQlFjQkFRUnpNSEV3TEFZSUt3WUJCUVVITUFHR0lHaDBkSEE2THk5aGFXRXVaR1Z0Ynk1emF5NWxaUzlsYzNSbGFXUXlNREU0TUVFR0NDc0dBUVVGQnpBQ2hqVm9kSFJ3Y3pvdkwzTnJMbVZsTDNWd2JHOWhaQzltYVd4bGN5OVVSVk5VWDI5bVgwVlRWRVZKUkRJd01UZ3VaR1Z5TG1OeWREQXpCZ05WSFI4RUxEQXFNQ2lnSnFBa2hpSm9kSFJ3T2k4dll5NXpheTVsWlM5MFpYTjBYMlZ6ZEdWcFpESXdNVGd1WTNKc01Bb0dDQ3FHU000OUJBTUVBNEdMQURDQmh3SkNBZDdOR3VDTlhHeFRiNVRnUmVZeFJTZjVYaHByMXFhVGZZZG5Kb1lOWDM5bVg5bFkxZGd5ZmJta1BzTDVpejBiWUxLOXBxRnBKOHdablZpSmpSaTV5dUh4QWtFTjJIdk0vU3d4MEJxRE9uN1FzdjZ6aXgzaHBMUUluWEllRms4aXR2OVhsdnA0VlE1S0g3bXNFZUp6N2NIMEdOTnFaTnBIdkVkTEFjMkJyT2tXbGdadUtRPT0iXX0.eyJhdWQiOlsiaHR0cHM6Ly81MjhiYzlmMjE1MjAubmdyb2suaW8iLCJ1cm46Y2VydDpzaGEtMjU2OjExZDhhZTYwZWMxOTEwYzc5NGQ3NGM4MmM4MGQ5NmIyMDc4OGI1NmFkMjY1ZmZmOWI1MTRjODc1Zjc5MDA4ZTEiXSwiZXhwIjoiMTYwMTU0MTgzNiIsImlhdCI6IjE2MDE1NDE1MzYiLCJpc3MiOiJ3ZWItZWlkIGFwcCAwLjkuMi1yYzEiLCJub25jZSI6ImEvd0FGcE1hWG9qTElhRW1lT3Z2aVJOb0JWcUhCTS9NbTlKVjI4WmNhSW89Iiwic3ViIjoiSsOVRU9SRyxKQUFLLUtSSVNUSkFOLDM4MDAxMDg1NzE4In0.BwC7jocegvB23K8YbuiakF7UdjpW1Rvl4u8zdNdm75M0QygLSOCuW7Nmn5tjKmqNmZjcOBxLlt3uN95_yFxZQAjRpCrkW-7bqfbJVzaqKnBx5lyvrO-69tEMKW578qCz";
+    }
diff --git a/example/src/test/resources/signout.p12 b/example/src/test/resources/signout.p12
new file mode 100644
index 0000000000000000000000000000000000000000..c3454bc6ad75577b1eb2a898a12314f4278739fd
GIT binary patch
literal 3061
zcmV<R3kviwf(!8i0Ru3C3%3RdDuzgg_YDCD0ic2ls04xwq%eXDpfG|4R|W|xhDe6@
z4FLxRpn?WSFoFg|0s#Opf(AVX2`Yw2hW8Bt2LUh~1_~;MNQU<f0So~KFb)I=x&#@f
zZB%>U0s;sCfPw}PqM(J;*JmD>Je0p4NKD!Mb=w4{LB);vco=SMbbA}jABSd+*$VgI
z`D~KJn{2nvDQW$|f&opF<;JUh<;rI?n}bCRv`x*sjGroQfk8~481tt$ZXm?5twx&I
z??;27RhNi*&+8P$$2ONfRyJTAJaxA`8TZ6=0*o)t6GU~@XtGJJ!5gTxFyo_exg){4
zgiw1fhaukah`G{ir@48cCGxU{Ss06<QR9=H9NtuihwYyo?rgcF3;ii30LQTC#Md9C
z!5g<R@mAoTgq0IEeq)!$e!8?*;jt!L4YTP$!nXi+cfPcaq`kSzJxCrL<p`F-`MZGs
zd_G9~L>xpWSgq=dy;C>ekKpgbH=@HkL}y`7e4loA{XeL`!)z>gic+6{Uw7iO74Z&C
z^WG&nDA7Fmoma*$I+(|w<TY_jPRAHkIpOI~9USB3;}`N3Ud}&nnTZPDMFU2$Q^!6j
zMqyga%*)Mw1R$5*=4yPL*Fn}}7LV``MB3rqym4Lxdv1s9T`Ux#Xf8><O=^tY<#YSq
zzd{e|b(agSNq5A!s$4T(90nCz#Q@_u$4<Zn!Qrj&CSwV9MhAptBlpkW*|bNJOgkDm
zUt<#tq~uN%IwZk-$`5D(Cx5MH?UK*mb%pqow$bd6ew<)xI`9^Q0r}uN9aw9-Z>UQy
zCxWzkjQti|0~kGoHrf|%h>F2El564%>t`|_3wt5>$sJu|AcWmP*}&;GR#PuB*`j7V
zIzja*n2b%VY?0Yt#T+%s4;J)%A}vNM4yHv+kY-gQ$(>DhT(M`xEG{n?+M61{bt*Sn
zri*$+Tv{a2goT6d6i$2S18?ktQ7f2s;t|8`e*Z0D14!RoA-*hhCN6WktdxMvv`EsF
zAO*)q^@5`q226y@na6D9_z)t<$oimKP(3pbo2NnB@5fuxgmLA(J_CY#0F+m&EZTO%
z*2~S>fy$IJkysayz3wJWv><tF1;usyH+NNiByN3T0-vJg1dY@nx=Yv{UwM`Zw>USJ
zlRR0H4zfnl<4TnBV?8^5j$Z`HkDz;d*J-=>aVP4`C=ipwJqG~;-wzmXu*y7;qB62V
z7wIqPeO((b-WM;Os_r)W;*%JR6sUPm#pgOT-j<V#qStBP=z<XmR6AUyO{suRQhPwK
z?B?SAuxp#XRf%P^TCye~E)DD33u%`ZySog_WxkS(79IMu1v8<zepam9$|zM~og2<D
z5;>~{JJH`tLFrWY(r_FFvxk=7hLeYjeLVt2TtpsaR&YG28=g^0uCy984dxpHwK!A|
zDW#ff(-$Gi=T&2kH8xKAL7U|#lIq*YFI+Y%j59D2+kL)F-aNyHybgHM2{oo&qtv3V
zqBa`xv|%A+*U~B~)Dx9*Ul<8?;Xpwal-yv@Ga!rRPaIU78Nuvq)&d2&Trd95q6zF0
zeNHs3r;+UuWaWb|onc~R`Lk|vRgj#x;-wh^fhDZjfE$542@IBHUfs#?7_z=r`hl~7
zIPGOO7dyGqZd;Z&fou<?DnV)3=+PbX>-jdN90*N{U#^Pd(XkQvj-T{Fzl8sZGz+G*
z&L$q|38}9P#e7z!!BM=My=HvQ(4CUAah*`$q!+VICZVcvG*vsTlBM{s9Rk>vs(%|-
zPN*BaD339D25ZI~#gF$F!%{_gboa40s)_MMC*+VnsJG==X|zT4=2`#~o#s?qs_9~9
zgRrtgN|5-Ni@5AteGyvl4Ct9xtAny_m-gTk)H%+fs8k16-g`poS5$Pwf9WIrC_*U|
zepHA}-iVhP$A!Qo>+F0x>8nLSUB}6Jh>quTeM76`l~#7_>{x>PU22-8?VBL8mI8=p
z`a?fb9a5KsIhrB~`E4;VlVJs=T|$=H1hjK2<Vz8sjcGh{pxNpJhuCG1GDL+bn8@QV
zKEPX{)sqOI#6QDFqgOOR+oO>m&N&;}Oa>jvusym@Qn8{)-N5bpoRcphl|@0fdX<w4
zw8Fb1pAbJ4UgIje*I1g*6T2FN!o<83ul&nTnqPZU$?kJQd2c5&)Y5Z5WRb$@kR!+P
zn<pXFFoFd^1_>&LNQU<f0S5t~f(0@Jf(0%xf(0rtf(0f93o3?4hW8Bt3<?1Ppn?SM
zFoFc?FdPO7Duzgg_YDCI0Ru1&1PC==wz9CL^V<Rf2ml0v1jyjCg>%yP)?7>=6)%#4
z9b7AushQyH)<LBfdmNh!?l)@#w}L`ymR3Sc#=VjfhmvTHjMSbJeZ$|%VzLf6R$oq$
zu-ZwH$iwekI&6V$Iq-)m9BYYfz{t0c(a~&`{@+X7O#6K4Au&O%*pQ%qv2cA75MVht
z>vQ}-!M@UzgJ&acco_X)*h;c0?(*Mxui#x;_t59Kz%sZAt}!0mGmxQ_y$#v!_A{V>
zUJhm%)nubHA4eH_LzoCD>`RVurFx|7V0E08q5WPULI0WEBlE-k@wtCbHYNmFLwSIo
zHi>xKm7Q<0P@;onh21dM4e|Q!QJ+IREUVR*xPBiZlNS4-Mj2bimERtAVNY=tRtD7K
z=pW*}d94^3<0JB}JoD>=Us~c|^n0jSOv(2m{}NpkC;G-@RvYd+)k-17AB)pUx%A)o
z9!XE5Hr6>7{e=y@B6;OACMA%q1ybcFY=A?{iQ1eJMi`Y3Y<8ahtc&$XTuX))3bPkE
z0`x7P_X-2ty0Rt|!9`KK7Tj-~`~}_)h!)yXuhj;fk>W-u7$@}Reujz0Z`(*>9-S9g
zK{j%8kNs~8{HtT{U9y@jZi9?aO;$z3f)wkuibAWU42P!+=Hx1M)iudKig-o#Q)*lZ
z!Tx0gUs!68SD8^EqYNFjK?d8zAhxpdl5K0dBySU~Sl7YyNkG56L7G<G1^8Ak7%TSA
zKXL4%llD8Aq&D{4b-+=hQs9=q3wk<Lbg*u#3@6q0IR+fhhWi2ogb7q-;6(vHV>TJe
zwiKe<9K2|T7zFHm|Dsh46z9?vB56F1y*Xj~X3-T!I2-u_1fP!GtfSbKsJ*yk9naPD
zdeEEsR6^2F7Tf$qC~c84GOFFeL(c%Jry*H9jf9V=T9RSMBT;d>KQ{56-y}<<n2R|y
zz_K{ojtiXJ_vjxjT>oc(5EGaFA`U4Wt34ePhGz>It(aT2XwAAq9k;)uW~?foZa7@!
z(2BDq<6p%t;UycYSYj)=VbB_x%JF8&7zZ=qvm;KHI>1|>23Qqbj+}MZ&{IftkLR6B
zgYf$?Ik%LY^a{BcSbG=me0ad6fQ_O(+Ht-FlM~0dwf4zW2A2B8+(_tA7_Fm>gL^pc
z(1E2~<+}>Iiwh=S^$qF+2(5PkYw5<}Q+|sIH%-_BxbV+?C*l!_!kaT1%lbKtOsY<N
zJ5kz;9lXFz58CW=&3sn2SbAPR%6}g)eumMVc=<_Y$k_edvehi7WKNWT<;73#$@q;S
z!)xbj>>vxPdnR0{<|h>TV}X%>maczTXduHwB=4XI9ON$<(Sfw;tt7FX0ulBf$O#RM
z0}??r1sQ<I^rD1N?cL)7#A5^sn&wiZIu_pYZP(It-GCM01jtc6pzqyfq9cBFMT}A-
zf>yeoY;+b4k2EJ+o>!s)^#Ke$DkzjJj}zUICqyE7&zFv0)(l`zJb~O;f=`?q7q_XG
zy;Ezm6H~X+JS8-EE`PyA9$EG37?<W?5z24{vg21nv$=ORhU*v<pkRKZc}DrMERN6^
z4Nz_MIW=J(R#v%ji=5-PP2u^EgzC9o`+M%keRY+nJMZr-dJ26|0s(91+fdljl8fB1
zB$Hw({yfaZS&KS69y2i|Fe3&DDuzgg_YDCF6)_eB6dVC9Ut!VMO`1iXZ%EV5pGduA
zfiN*JAutIB1uG5%0vZJX1QgAAe)XVo9v(h&*1s2I;=sflLXrds#pC`>MoE$c0s;sC
DF8QKu

literal 0
HcmV?d00001


From 3222b3c055ba4e15d9c792781282a74a4df26f6f Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Mon, 28 Dec 2020 21:51:13 +0200
Subject: [PATCH 003/116] Add macOS installer

---
 example/src/main/resources/static/files/web-eid-0.9.3.869.pkg | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 example/src/main/resources/static/files/web-eid-0.9.3.869.pkg

diff --git a/example/src/main/resources/static/files/web-eid-0.9.3.869.pkg b/example/src/main/resources/static/files/web-eid-0.9.3.869.pkg
new file mode 100644
index 0000000..2422585
--- /dev/null
+++ b/example/src/main/resources/static/files/web-eid-0.9.3.869.pkg
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:aeb461c229974e8ac77863adb2c44005e6de97bce0d91f0c06585cab15897f10
+size 16356278

From 4170767fd10ec68761dd82432e42108f46b171c8 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Mon, 28 Dec 2020 21:52:28 +0200
Subject: [PATCH 004/116] Add Ubuntu and Windows installer

---
 .../src/main/resources/static/files/web-eid-0.9.3.869.x64.msi  | 3 +++
 .../main/resources/static/files/web-eid_0.9.3.869_amd64.deb    | 3 +++
 2 files changed, 6 insertions(+)
 create mode 100644 example/src/main/resources/static/files/web-eid-0.9.3.869.x64.msi
 create mode 100644 example/src/main/resources/static/files/web-eid_0.9.3.869_amd64.deb

diff --git a/example/src/main/resources/static/files/web-eid-0.9.3.869.x64.msi b/example/src/main/resources/static/files/web-eid-0.9.3.869.x64.msi
new file mode 100644
index 0000000..61af046
--- /dev/null
+++ b/example/src/main/resources/static/files/web-eid-0.9.3.869.x64.msi
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2fd08ee1e391963cfbed560a0a264ff0b1dec49b51a2aa152990170e693e009b
+size 18817024
diff --git a/example/src/main/resources/static/files/web-eid_0.9.3.869_amd64.deb b/example/src/main/resources/static/files/web-eid_0.9.3.869_amd64.deb
new file mode 100644
index 0000000..1c9c408
--- /dev/null
+++ b/example/src/main/resources/static/files/web-eid_0.9.3.869_amd64.deb
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:45191ae3e12f69f457e74afd5b852104f4099adb7a6861b011ccbef671cd4eae
+size 113064

From 05ac09e29eb1aad6f8c655d0c3a78c013066b827 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Fri, 19 Feb 2021 21:42:05 +0200
Subject: [PATCH 005/116] build(deps): use GitHub Packages for
 authtoken-validation, update Guava and DigiDoc4j

---
 example/pom.xml | 24 +++++++-----------------
 1 file changed, 7 insertions(+), 17 deletions(-)

diff --git a/example/pom.xml b/example/pom.xml
index d8048c4..e1ffd9e 100644
--- a/example/pom.xml
+++ b/example/pom.xml
@@ -57,18 +57,18 @@
 		<dependency>
 			<groupId>com.google.guava</groupId>
 			<artifactId>guava</artifactId>
-			<version>20.0</version>
+			<version>30.1-jre</version>
 		</dependency>
 
 		<dependency>
 			<groupId>org.digidoc4j</groupId>
 			<artifactId>digidoc4j</artifactId>
-			<version>4.0.3</version>
+			<version>4.1.0</version>
 		</dependency>
 		<dependency>
 			<groupId>org.webeid.security</groupId>
 			<artifactId>authtoken-validation</artifactId>
-			<version>1.0.0-SNAPSHOT</version>
+			<version>1.0.0</version>
 		</dependency>
 
 		<dependency>
@@ -123,21 +123,11 @@
 
 	<repositories>
 		<repository>
-			<id>gitlab-maven</id>
-			<url>https://gitlab.com/api/v4/projects/19948337/packages/maven</url>
+			<id>github</id>
+			<!-- This URL contains a public personal access token with rights to download packages from GitHub Package Registry.
+			     This is currently the only way for consuming public Maven packages from GitHub Packages, see https://stackoverflow.com/a/64443958/258772. -->
+			<url>https://mrts:ffc291fb68b3d53d4edd14c847edf939fb2a15c5@maven.pkg.github.com/web-eid/web-eid-authtoken-validation-java</url>
 		</repository>
 	</repositories>
 
-	<distributionManagement>
-		<repository>
-			<id>gitlab-maven</id>
-			<url>https://gitlab.com/api/v4/projects/19948337/packages/maven</url>
-		</repository>
-
-		<snapshotRepository>
-			<id>gitlab-maven</id>
-			<url>https://gitlab.com/api/v4/projects/19948337/packages/maven</url>
-		</snapshotRepository>
-	</distributionManagement>
-
 </project>

From 0aeafc085d46037b9e269387a1dc365b10db5a2f Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Fri, 19 Feb 2021 21:46:32 +0200
Subject: [PATCH 006/116] feat: add configurable support for DigiDoc4j prod
 mode, enable OCSP check

---
 .../example/config/ValidationConfiguration.java   |  2 --
 .../org/webeid/example/config/YAMLConfig.java     | 15 +++++++++++++--
 .../webeid/example/service/SigningService.java    |  7 ++++---
 example/src/main/resources/application.yaml       |  3 ++-
 example/src/test/resources/application.yaml       | 12 ++++++++++++
 5 files changed, 31 insertions(+), 8 deletions(-)
 create mode 100644 example/src/test/resources/application.yaml

diff --git a/example/src/main/java/org/webeid/example/config/ValidationConfiguration.java b/example/src/main/java/org/webeid/example/config/ValidationConfiguration.java
index dc2ae7e..386a205 100644
--- a/example/src/main/java/org/webeid/example/config/ValidationConfiguration.java
+++ b/example/src/main/java/org/webeid/example/config/ValidationConfiguration.java
@@ -131,8 +131,6 @@ public AuthTokenValidator validator() {
                 .withNonceCache(nonceCache())
                 .withTrustedCertificateAuthorities(trustedCertificateAuthorities())
                 .withTrustedCertificateAuthorities(initializeTrustedCACertificatesFromKeyStore())
-                // FIXME: investigate why for Idemia test card OcspUtils.ocspUri() -> null so that "User certificate revocation check has failed: The CA/certificate doesn't have an OCSP responder"
-                .withoutUserCertificateRevocationCheckWithOcsp()
                 .build();
     }
 
diff --git a/example/src/main/java/org/webeid/example/config/YAMLConfig.java b/example/src/main/java/org/webeid/example/config/YAMLConfig.java
index d756101..7a56bc2 100644
--- a/example/src/main/java/org/webeid/example/config/YAMLConfig.java
+++ b/example/src/main/java/org/webeid/example/config/YAMLConfig.java
@@ -29,7 +29,7 @@
 
 @Configuration
 @EnableConfigurationProperties
-@ConfigurationProperties(prefix = "token.validation")
+@ConfigurationProperties(prefix = "web-eid-auth-token.validation")
 public class YAMLConfig {
 
     private final String FINGERPRINT_PREFIX = "urn:cert:sha-256:";
@@ -41,6 +41,9 @@ public class YAMLConfig {
     @Value("keystore-password")
     private String keystorePassword;
 
+    @Value("#{new Boolean('${web-eid-auth-token.validation.use-digidoc4j-prod-configuration}'.trim())}")
+    private Boolean useDigiDoc4jProdConfiguration;
+
     public String getLocalOrigin() {
         return localOrigin;
     }
@@ -50,7 +53,7 @@ public void setLocalOrigin(String localOrigin) {
     }
 
     public String getFingerprint() {
-        if(fingerprint != null && !fingerprint.startsWith(FINGERPRINT_PREFIX)) {
+        if (fingerprint != null && !fingerprint.startsWith(FINGERPRINT_PREFIX)) {
             fingerprint = FINGERPRINT_PREFIX + fingerprint.replace(":", "").toLowerCase();
         }
         return fingerprint;
@@ -67,4 +70,12 @@ public String getKeystorePassword() {
     public void setKeystorePassword(String keystorePassword) {
         this.keystorePassword = keystorePassword;
     }
+
+    public boolean getUseDigiDoc4jProdConfiguration() {
+        return useDigiDoc4jProdConfiguration;
+    }
+
+    public void setUseDigiDoc4jProdConfiguration(boolean useDigiDoc4jProdConfiguration) {
+        this.useDigiDoc4jProdConfiguration = useDigiDoc4jProdConfiguration;
+    }
 }
diff --git a/example/src/main/java/org/webeid/example/service/SigningService.java b/example/src/main/java/org/webeid/example/service/SigningService.java
index e790204..b94043b 100644
--- a/example/src/main/java/org/webeid/example/service/SigningService.java
+++ b/example/src/main/java/org/webeid/example/service/SigningService.java
@@ -31,6 +31,7 @@
 import org.springframework.beans.factory.ObjectFactory;
 import org.springframework.core.io.ByteArrayResource;
 import org.springframework.stereotype.Service;
+import org.webeid.example.config.YAMLConfig;
 import org.webeid.example.service.dto.CertificateDTO;
 import org.webeid.example.service.dto.DigestDTO;
 import org.webeid.example.service.dto.FileDTO;
@@ -59,9 +60,9 @@ public class SigningService {
 
     ObjectFactory<HttpSession> httpSessionFactory;
 
-    public SigningService(ObjectFactory<HttpSession> httpSessionFactory) {
-        // FIXME: use PROD conf + real OCSP (with IP whitelisting)
-        this.signingConfiguration = Configuration.of(Configuration.Mode.TEST);
+    public SigningService(ObjectFactory<HttpSession> httpSessionFactory, YAMLConfig yamlConfig) {
+        this.signingConfiguration = Configuration.of(yamlConfig.getUseDigiDoc4jProdConfiguration() ?
+                Configuration.Mode.PROD : Configuration.Mode.TEST);
         this.httpSessionFactory = httpSessionFactory;
     }
 
diff --git a/example/src/main/resources/application.yaml b/example/src/main/resources/application.yaml
index ba1e78c..05e7b8e 100644
--- a/example/src/main/resources/application.yaml
+++ b/example/src/main/resources/application.yaml
@@ -4,8 +4,9 @@ spring:
     multipart:
       max-file-size: 5000KB
       max-request-size: 5000KB
-token:
+web-eid-auth-token:
   validation:
+    use-digidoc4j-prod-configuration: true
     local-origin: "https://web-eid.eu"
     fingerprint: "11:D8:AE:60:EC:19:10:C7:94:D7:4C:82:C8:0D:96:B2:07:88:B5:6A:D2:65:FF:F9:B5:14:C8:75:F7:90:08:E1"
     keystore-password: "changeit"
diff --git a/example/src/test/resources/application.yaml b/example/src/test/resources/application.yaml
new file mode 100644
index 0000000..d7155cb
--- /dev/null
+++ b/example/src/test/resources/application.yaml
@@ -0,0 +1,12 @@
+spring:
+  profiles: dev
+  servlet:
+    multipart:
+      max-file-size: 5000KB
+      max-request-size: 5000KB
+web-eid-auth-token:
+  validation:
+    use-digidoc4j-prod-configuration: false
+    local-origin: "https://528bc9f21520.ngrok.io"
+    fingerprint: "unused"
+    keystore-password: "changeit"

From f8b878f8a68718d7145277cd3e6a148c8429423c Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Fri, 19 Feb 2021 21:48:06 +0200
Subject: [PATCH 007/116] fix: mock OCSP checks with JMock to make
 testHappyFlow_LoginUploadPrepareSignDownload() pass

---
 example/.github/workflows/maven-build.yml     |  27 ++++++++++++
 .../org/webeid/example/DateMockingTest.java   |  22 ++++++++++
 .../webeid/example/WebApplicationTest.java    |  41 ++++++++++++++----
 .../webeid/example/testutil/FakeNonce.java    |  36 ---------------
 .../certs/TEST_of_ESTEID-SK_2015.cer          | Bin
 .../resources/certs/TEST_of_ESTEID2018.cer    | Bin
 6 files changed, 81 insertions(+), 45 deletions(-)
 create mode 100644 example/.github/workflows/maven-build.yml
 create mode 100644 example/src/test/java/org/webeid/example/DateMockingTest.java
 delete mode 100644 example/src/test/java/org/webeid/example/testutil/FakeNonce.java
 rename example/src/{main => test}/resources/certs/TEST_of_ESTEID-SK_2015.cer (100%)
 rename example/src/{main => test}/resources/certs/TEST_of_ESTEID2018.cer (100%)

diff --git a/example/.github/workflows/maven-build.yml b/example/.github/workflows/maven-build.yml
new file mode 100644
index 0000000..ae38343
--- /dev/null
+++ b/example/.github/workflows/maven-build.yml
@@ -0,0 +1,27 @@
+name: Maven build
+
+on: [ push, pull_request ]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - uses: actions/setup-java@v1
+        with:
+          java-version: 1.8
+
+      - name: Cache Maven packages
+        uses: actions/cache@v1
+        with:
+          path: ~/.m2
+          key: ${{ runner.os }}-m2-v8-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ${{ runner.os }}-m2-v8
+
+      - name: Build
+        run: mvn --batch-mode compile
+
+      - name: Test and package
+        run: mvn --batch-mode package
diff --git a/example/src/test/java/org/webeid/example/DateMockingTest.java b/example/src/test/java/org/webeid/example/DateMockingTest.java
new file mode 100644
index 0000000..f8bcee6
--- /dev/null
+++ b/example/src/test/java/org/webeid/example/DateMockingTest.java
@@ -0,0 +1,22 @@
+package org.webeid.example;
+
+import org.junit.jupiter.api.Test;
+import org.webeid.example.testutil.Dates;
+
+import java.text.ParseException;
+import java.util.Date;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+public class DateMockingTest {
+
+    @Test
+    void testDateMocking() throws ParseException {
+        final Date date = Dates.create("2020-04-14T13:36:49Z");
+        Dates.setMockedDate(date);
+
+        // Mocking native methods is unreliable, see https://github.com/jmockit/jmockit1/issues/689#issuecomment-702965484
+        assertThat(System.currentTimeMillis()).isEqualTo(date.getTime());
+    }
+
+}
diff --git a/example/src/test/java/org/webeid/example/WebApplicationTest.java b/example/src/test/java/org/webeid/example/WebApplicationTest.java
index b86e655..9d32d4b 100644
--- a/example/src/test/java/org/webeid/example/WebApplicationTest.java
+++ b/example/src/test/java/org/webeid/example/WebApplicationTest.java
@@ -22,9 +22,11 @@
 
 package org.webeid.example;
 
-import com.hazelcast.util.Base64;
+import mockit.Mock;
+import mockit.MockUp;
+import org.digidoc4j.impl.asic.AsicSignatureFinalizer;
+import org.digidoc4j.impl.asic.xades.XadesSignature;
 import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.context.SpringBootTest;
@@ -37,11 +39,13 @@
 import org.springframework.web.context.WebApplicationContext;
 import org.webeid.example.service.dto.DigestDTO;
 import org.webeid.example.testutil.Dates;
-import org.webeid.example.testutil.FakeNonce;
 import org.webeid.example.testutil.HttpHelper;
 import org.webeid.example.testutil.ObjectMother;
+import org.webeid.security.validator.AuthTokenValidatorData;
+import org.webeid.security.validator.validators.SubjectCertificateNotRevokedValidator;
 
-import java.nio.charset.StandardCharsets;
+import javax.cache.Cache;
+import java.time.LocalDateTime;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
@@ -49,13 +53,17 @@
 @SpringBootTest
 @WebAppConfiguration
 public class WebApplicationTest {
+
+    @Autowired
+    Cache<String, LocalDateTime> cache;
+
     @Autowired
     private WebApplicationContext context;
 
     @Autowired
     private javax.servlet.Filter[] springSecurityFilterChain;
 
-    private static final byte[] TEST_NONCE_BYTES = Base64.decode("a/wAFpMaXojLIaEmeOvviRNoBVqHBM/Mm9JV28ZcaIo=".getBytes(StandardCharsets.UTF_8));
+    private static final String TEST_NONCE = "a/wAFpMaXojLIaEmeOvviRNoBVqHBM/Mm9JV28ZcaIo=";
     private static DefaultMockMvcBuilder mvcBuilder;
 
     @BeforeEach
@@ -76,19 +84,35 @@ public void testRoot() throws Exception {
         System.out.println(response.getContentAsString());
     }
 
-    @Disabled // FIXME: fix and enable
     @Test
     public void testHappyFlow_LoginUploadPrepareSignDownload() throws Exception {
 
+        // Arrange
+        new MockUp<SubjectCertificateNotRevokedValidator>() {
+            @Mock
+            public void validateCertificateNotRevoked(AuthTokenValidatorData actualTokenData) {
+                // Do not call real OCSP service in tests.
+            }
+        };
+
+        new MockUp<AsicSignatureFinalizer>() {
+            @Mock
+            public void validateOcspResponse(XadesSignature xadesSignature) {
+                // Do not call real OCSP service in tests.
+            }
+        };
+
+        cache.put(TEST_NONCE, LocalDateTime.now().plusMinutes(5));
+
         final MockHttpSession session = new MockHttpSession();
 
-        FakeNonce.setMockedNonce(TEST_NONCE_BYTES);
         Dates.setMockedDate(Dates.create("2020-04-14T13:36:49Z"));
 
+        // Act and assert
         mvcBuilder.build().perform(get("/auth/challenge"));
 
         MockHttpServletResponse response = HttpHelper.login(mvcBuilder, session, ObjectMother.mockAuthToken());
-        assertEquals("{\"sub\":\"JÕEORG,JAAK-KRISTJAN,38001085718\",\"auth\":[\"ROLE_USER\"]}", response.getContentAsString());
+        assertEquals("{\"sub\":\"JAAK-KRISTJAN JÕEORG, PNOEE-38001085718\",\"auth\":[\"ROLE_USER\"]}", response.getContentAsString());
 
         response = HttpHelper.upload(mvcBuilder, session, ObjectMother.mockMultipartFile());
         assertEquals(HttpStatus.OK.value(), response.getStatus());
@@ -96,7 +120,6 @@ public void testHappyFlow_LoginUploadPrepareSignDownload() throws Exception {
         response = HttpHelper.prepare(mvcBuilder, session, ObjectMother.mockPrepareRequest());
         assertEquals(HttpStatus.OK.value(), response.getStatus());
 
-
         DigestDTO digestDTO = ObjectMother.jsonStringToBean(response.getContentAsString(), DigestDTO.class);
 
         response = HttpHelper.sign(mvcBuilder, session, ObjectMother.mockSignRequest(digestDTO.getHash()));
diff --git a/example/src/test/java/org/webeid/example/testutil/FakeNonce.java b/example/src/test/java/org/webeid/example/testutil/FakeNonce.java
deleted file mode 100644
index c923cb9..0000000
--- a/example/src/test/java/org/webeid/example/testutil/FakeNonce.java
+++ /dev/null
@@ -1,36 +0,0 @@
-/*
- * Copyright (c) 2020 The Web eID Project
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-package org.webeid.example.testutil;
-
-public final class FakeNonce {
-
-    public static void setMockedNonce(byte[] nonce) {
-        // FIXME:
-//        new MockUp<Nonce>() {
-//            @Mock
-//            public byte[] getNonceBytes() {
-//                return nonce;
-//            }
-//        };
-    }
-}
diff --git a/example/src/main/resources/certs/TEST_of_ESTEID-SK_2015.cer b/example/src/test/resources/certs/TEST_of_ESTEID-SK_2015.cer
similarity index 100%
rename from example/src/main/resources/certs/TEST_of_ESTEID-SK_2015.cer
rename to example/src/test/resources/certs/TEST_of_ESTEID-SK_2015.cer
diff --git a/example/src/main/resources/certs/TEST_of_ESTEID2018.cer b/example/src/test/resources/certs/TEST_of_ESTEID2018.cer
similarity index 100%
rename from example/src/main/resources/certs/TEST_of_ESTEID2018.cer
rename to example/src/test/resources/certs/TEST_of_ESTEID2018.cer

From 7e7b93a7dc4b46e5266b931d979c2651b4d47294 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Mon, 22 Feb 2021 14:08:52 +0200
Subject: [PATCH 008/116] ci: use GitLab Package Repository instead of GitHub
 as GitHub Packages does not allow unauthorized read access

---
 example/pom.xml                               |  9 +++++---
 .../org/webeid/example/DateMockingTest.java   | 22 +++++++++++++++++++
 2 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/example/pom.xml b/example/pom.xml
index e1ffd9e..2f67efe 100644
--- a/example/pom.xml
+++ b/example/pom.xml
@@ -123,10 +123,13 @@
 
 	<repositories>
 		<repository>
+			<id>gitlab</id>
+			<url>https://gitlab.com/api/v4/projects/19948337/packages/maven</url>
+			<!-- Github Packages does not currently support public access, so disabled until it does.
+			     See https://github.community/t/download-from-github-package-registry-without-authentication/14407
 			<id>github</id>
-			<!-- This URL contains a public personal access token with rights to download packages from GitHub Package Registry.
-			     This is currently the only way for consuming public Maven packages from GitHub Packages, see https://stackoverflow.com/a/64443958/258772. -->
-			<url>https://mrts:ffc291fb68b3d53d4edd14c847edf939fb2a15c5@maven.pkg.github.com/web-eid/web-eid-authtoken-validation-java</url>
+			<url>https://maven.pkg.github.com/web-eid/web-eid-authtoken-validation-java</url>
+			-->
 		</repository>
 	</repositories>
 
diff --git a/example/src/test/java/org/webeid/example/DateMockingTest.java b/example/src/test/java/org/webeid/example/DateMockingTest.java
index f8bcee6..8dfa6d0 100644
--- a/example/src/test/java/org/webeid/example/DateMockingTest.java
+++ b/example/src/test/java/org/webeid/example/DateMockingTest.java
@@ -1,3 +1,25 @@
+/*
+ * Copyright (c) 2020 The Web eID Project
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
 package org.webeid.example;
 
 import org.junit.jupiter.api.Test;

From 836e1fd9e7ff2fb7b51a82864e5419d6e0e7410e Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Mon, 22 Feb 2021 19:08:54 +0200
Subject: [PATCH 009/116] deployment: add Fabric deployment script, fix okhttp
 version

---
 example/pom.xml                             | 20 +++++++++++++-------
 example/scripts/deployment/.gitignore       |  2 ++
 example/scripts/deployment/README.md        | 20 ++++++++++++++++++++
 example/scripts/deployment/fab.sh           | 11 +++++++++++
 example/scripts/deployment/fabfile.py       | 18 ++++++++++++++++++
 example/scripts/deployment/requirements.txt |  1 +
 6 files changed, 65 insertions(+), 7 deletions(-)
 create mode 100644 example/scripts/deployment/.gitignore
 create mode 100644 example/scripts/deployment/README.md
 create mode 100644 example/scripts/deployment/fab.sh
 create mode 100644 example/scripts/deployment/fabfile.py
 create mode 100644 example/scripts/deployment/requirements.txt

diff --git a/example/pom.xml b/example/pom.xml
index 2f67efe..eaf2854 100644
--- a/example/pom.xml
+++ b/example/pom.xml
@@ -23,6 +23,7 @@
 	</properties>
 
 	<dependencies>
+
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-web</artifactId>
@@ -40,25 +41,30 @@
 			<artifactId>spring-security-config</artifactId>
 		</dependency>
 
-		<dependency>
-			<groupId>javax.cache</groupId>
-			<artifactId>cache-api</artifactId>
-			<version>1.1.1</version>
-		</dependency>
 		<dependency>
 			<groupId>com.hazelcast</groupId>
 			<artifactId>hazelcast</artifactId>
 		</dependency>
-
 		<dependency>
 			<groupId>org.hibernate.validator</groupId>
 			<artifactId>hibernate-validator</artifactId>
 		</dependency>
+
+		<dependency>
+			<groupId>javax.cache</groupId>
+			<artifactId>cache-api</artifactId>
+			<version>1.1.1</version>
+		</dependency>
 		<dependency>
 			<groupId>com.google.guava</groupId>
 			<artifactId>guava</artifactId>
 			<version>30.1-jre</version>
 		</dependency>
+		<dependency>
+			<groupId>com.squareup.okhttp3</groupId>
+			<artifactId>okhttp</artifactId>
+			<version>4.9.0</version>
+		</dependency>
 
 		<dependency>
 			<groupId>org.digidoc4j</groupId>
@@ -93,13 +99,13 @@
 			<artifactId>spring-security-test</artifactId>
 			<scope>test</scope>
 		</dependency>
-
 		<dependency>
 			<groupId>org.jmockit</groupId>
 			<artifactId>jmockit</artifactId>
 			<version>${jmockit.version}</version>
 			<scope>test</scope>
 		</dependency>
+
 	</dependencies>
 
 	<build>
diff --git a/example/scripts/deployment/.gitignore b/example/scripts/deployment/.gitignore
new file mode 100644
index 0000000..af2ecbd
--- /dev/null
+++ b/example/scripts/deployment/.gitignore
@@ -0,0 +1,2 @@
+*.swp
+venv/
diff --git a/example/scripts/deployment/README.md b/example/scripts/deployment/README.md
new file mode 100644
index 0000000..333b1e2
--- /dev/null
+++ b/example/scripts/deployment/README.md
@@ -0,0 +1,20 @@
+## Deploy new version to web-eid.eu server
+
+In the local machine:
+
+1. Setup virtualenv and install [Fabric](https://www.fabfile.org/)
+
+       python3 -m venv venv
+       . venv/bin/activate  # . venv/Scripts/activate on Windows
+       pip install -r requirements.txt
+
+2. Check the project path, server hostname, user and port in `fab.sh`
+
+4. Verify that Fabric is able to connect to the server by running `uname`
+
+       ./fab.sh uname
+
+7. Deploy the project
+
+       ./fab.sh deploy
+
diff --git a/example/scripts/deployment/fab.sh b/example/scripts/deployment/fab.sh
new file mode 100644
index 0000000..e58e1dd
--- /dev/null
+++ b/example/scripts/deployment/fab.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+set -eu
+
+SERVER_ADDRESS=server
+SERVER_USER=user
+SERVER_PORT=22
+
+export WEBEID_DIR='/path/'
+
+fab -e -H ${SERVER_USER}@${SERVER_ADDRESS}:${SERVER_PORT} "$@"
diff --git a/example/scripts/deployment/fabfile.py b/example/scripts/deployment/fabfile.py
new file mode 100644
index 0000000..c4612a3
--- /dev/null
+++ b/example/scripts/deployment/fabfile.py
@@ -0,0 +1,18 @@
+import os
+
+from fabric import task
+
+
+@task
+def uname(c):
+    c.run('uname -a')
+
+
+@task
+def deploy(c):
+    with c.cd(os.getenv('WEBEID_DIR')):
+        c.run('git pull')
+        c.run('mvn clean package com.google.cloud.tools:jib-maven-plugin:dockerBuild')
+        c.run('docker-compose down')
+        c.run('docker-compose up -d')
+
diff --git a/example/scripts/deployment/requirements.txt b/example/scripts/deployment/requirements.txt
new file mode 100644
index 0000000..50d35bb
--- /dev/null
+++ b/example/scripts/deployment/requirements.txt
@@ -0,0 +1 @@
+fabric < 3

From 3d298ea395cf3bed66f198fe7a263cfd00a8581a Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Mon, 22 Feb 2021 20:55:56 +0200
Subject: [PATCH 010/116] refactor: use Caffeine instead of Hazelcast

---
 example/pom.xml                               | 24 ++++++++++++-------
 .../config/ValidationConfiguration.java       | 24 +++++++++++++++++--
 2 files changed, 37 insertions(+), 11 deletions(-)

diff --git a/example/pom.xml b/example/pom.xml
index eaf2854..a7f8064 100644
--- a/example/pom.xml
+++ b/example/pom.xml
@@ -19,11 +19,11 @@
 	<properties>
 		<java.version>1.8</java.version>
 		<maven-surefire-plugin.version>2.22.1</maven-surefire-plugin.version>
+		<caffeine.version>2.8.5</caffeine.version>
 		<jmockit.version>1.44</jmockit.version>
 	</properties>
 
 	<dependencies>
-
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-web</artifactId>
@@ -32,6 +32,10 @@
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-thymeleaf</artifactId>
 		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-cache</artifactId>
+		</dependency>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-security</artifactId>
@@ -42,19 +46,21 @@
 		</dependency>
 
 		<dependency>
-			<groupId>com.hazelcast</groupId>
-			<artifactId>hazelcast</artifactId>
+			<groupId>javax.cache</groupId>
+			<artifactId>cache-api</artifactId>
+			<version>1.1.1</version>
 		</dependency>
 		<dependency>
-			<groupId>org.hibernate.validator</groupId>
-			<artifactId>hibernate-validator</artifactId>
+			<groupId>com.github.ben-manes.caffeine</groupId>
+			<artifactId>caffeine</artifactId>
+			<version>${caffeine.version}</version>
 		</dependency>
-
 		<dependency>
-			<groupId>javax.cache</groupId>
-			<artifactId>cache-api</artifactId>
-			<version>1.1.1</version>
+			<groupId>com.github.ben-manes.caffeine</groupId>
+			<artifactId>jcache</artifactId>
+			<version>${caffeine.version}</version>
 		</dependency>
+
 		<dependency>
 			<groupId>com.google.guava</groupId>
 			<artifactId>guava</artifactId>
diff --git a/example/src/main/java/org/webeid/example/config/ValidationConfiguration.java b/example/src/main/java/org/webeid/example/config/ValidationConfiguration.java
index 386a205..09782dc 100644
--- a/example/src/main/java/org/webeid/example/config/ValidationConfiguration.java
+++ b/example/src/main/java/org/webeid/example/config/ValidationConfiguration.java
@@ -22,6 +22,7 @@
 
 package org.webeid.example.config;
 
+import com.github.benmanes.caffeine.jcache.spi.CaffeineCachingProvider;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.context.annotation.Bean;
@@ -38,6 +39,8 @@
 import javax.cache.Caching;
 import javax.cache.configuration.CompleteConfiguration;
 import javax.cache.configuration.MutableConfiguration;
+import javax.cache.expiry.CreatedExpiryPolicy;
+import javax.cache.expiry.Duration;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.URI;
@@ -51,12 +54,21 @@
 import java.util.ArrayList;
 import java.util.Enumeration;
 import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+import static javax.cache.configuration.FactoryBuilder.factoryOf;
 
 @Configuration
 public class ValidationConfiguration {
 
     private static final Logger LOG = LoggerFactory.getLogger(ValidationConfiguration.class);
     private static final String CACHE_NAME = "nonceCache";
+    private static final long NONCE_TTL_MINUTES = 5;
+
+    @Bean
+    public CacheManager cacheManager() {
+        return Caching.getCachingProvider(CaffeineCachingProvider.class.getName()).getCacheManager();
+    }
 
     @Bean
     public Cache<String, LocalDateTime> nonceCache() {
@@ -64,8 +76,7 @@ public Cache<String, LocalDateTime> nonceCache() {
         Cache<String, LocalDateTime> cache = cacheManager.getCache(CACHE_NAME);
 
         if (cache == null) {
-            CompleteConfiguration<String, LocalDateTime> cacheConfig = new MutableConfiguration<String, LocalDateTime>().setTypes(String.class, LocalDateTime.class);
-            cache = cacheManager.createCache(CACHE_NAME, cacheConfig);
+            cache = createNonceCache(cacheManager);
         }
         return cache;
     }
@@ -73,6 +84,7 @@ public Cache<String, LocalDateTime> nonceCache() {
     @Bean
     public NonceGenerator generator() {
         return new NonceGeneratorBuilder()
+                .withNonceTtl(java.time.Duration.ofMinutes(NONCE_TTL_MINUTES))
                 .withNonceCache(nonceCache())
                 .build();
     }
@@ -138,4 +150,12 @@ public AuthTokenValidator validator() {
     public YAMLConfig yamlConfig() {
         return new YAMLConfig();
     }
+
+    private Cache<String, LocalDateTime> createNonceCache(CacheManager cacheManager) {
+        CompleteConfiguration<String, LocalDateTime> cacheConfig = new MutableConfiguration<String, LocalDateTime>()
+                .setTypes(String.class, LocalDateTime.class)
+                .setExpiryPolicyFactory(factoryOf(new CreatedExpiryPolicy(
+                        new Duration(TimeUnit.MINUTES, NONCE_TTL_MINUTES + 1))));
+        return cacheManager.createCache(CACHE_NAME, cacheConfig);
+    }
 }

From 99ede256517b87958ee7026c54067e6b01e3a511 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Tue, 23 Feb 2021 22:55:34 +0200
Subject: [PATCH 011/116] docs,installer: update installer packages to
 0.9.4.76, update instructions in index.html, remove obsolete Firefox
 extension files

---
 .../config/ValidationConfiguration.java       |   2 +-
 .../firefox-web-eid-extension-updates.json    |  12 -------
 .../firefox/web-eid-webextension-0.9.1.xpi    | Bin 78545 -> 0 bytes
 .../firefox/web-eid-webextension-latest.xpi   | Bin 78545 -> 0 bytes
 .../static/files/web-eid-0.9.3.869.pkg        |   3 --
 .../static/files/web-eid-0.9.3.869.x64.msi    |   3 --
 .../static/files/web-eid-0.9.4.76.pkg         |   3 ++
 .../static/files/web-eid-0.9.4.76.x64.msi     |   3 ++
 .../static/files/web-eid_0.9.3.869_amd64.deb  |   3 --
 .../static/files/web-eid_0.9.4.76_amd64.deb   |   3 ++
 example/src/main/resources/static/index.html  |  32 ++++--------------
 11 files changed, 17 insertions(+), 47 deletions(-)
 delete mode 100644 example/src/main/resources/static/files/firefox/firefox-web-eid-extension-updates.json
 delete mode 100644 example/src/main/resources/static/files/firefox/web-eid-webextension-0.9.1.xpi
 delete mode 100644 example/src/main/resources/static/files/firefox/web-eid-webextension-latest.xpi
 delete mode 100644 example/src/main/resources/static/files/web-eid-0.9.3.869.pkg
 delete mode 100644 example/src/main/resources/static/files/web-eid-0.9.3.869.x64.msi
 create mode 100644 example/src/main/resources/static/files/web-eid-0.9.4.76.pkg
 create mode 100644 example/src/main/resources/static/files/web-eid-0.9.4.76.x64.msi
 delete mode 100644 example/src/main/resources/static/files/web-eid_0.9.3.869_amd64.deb
 create mode 100644 example/src/main/resources/static/files/web-eid_0.9.4.76_amd64.deb

diff --git a/example/src/main/java/org/webeid/example/config/ValidationConfiguration.java b/example/src/main/java/org/webeid/example/config/ValidationConfiguration.java
index 09782dc..efb30ca 100644
--- a/example/src/main/java/org/webeid/example/config/ValidationConfiguration.java
+++ b/example/src/main/java/org/webeid/example/config/ValidationConfiguration.java
@@ -138,7 +138,7 @@ public X509Certificate[] initializeTrustedCACertificatesFromKeyStore() {
     public AuthTokenValidator validator() {
         return new AuthTokenValidatorBuilder()
                 .withSiteOrigin(URI.create(yamlConfig().getLocalOrigin()))
-                // FIXME: decide what should validation library do when cert fingerprint validation is enabled but fingerprint is null (as in Chrome)
+                // TODO: it is still open what the validation library should do when cert fingerprint validation is enabled but fingerprint is null (as in Chrome).
 //                .withSiteCertificateSha256Fingerprint(yamlConfig().getFingerprint())
                 .withNonceCache(nonceCache())
                 .withTrustedCertificateAuthorities(trustedCertificateAuthorities())
diff --git a/example/src/main/resources/static/files/firefox/firefox-web-eid-extension-updates.json b/example/src/main/resources/static/files/firefox/firefox-web-eid-extension-updates.json
deleted file mode 100644
index 776d6ed..0000000
--- a/example/src/main/resources/static/files/firefox/firefox-web-eid-extension-updates.json
+++ /dev/null
@@ -1,12 +0,0 @@
-{
-  "addons": {
-    "{89bcad3c-5c95-4a6c-a5a5-64da932f6bf7}": {
-      "updates": [
-        {
-          "version": "0.9.1",
-          "update_link": "https://web-eid.eu/files/firefox/web-eid-webextension-0.9.1.xpi"
-        }
-      ]
-    }
-  }
-}
\ No newline at end of file
diff --git a/example/src/main/resources/static/files/firefox/web-eid-webextension-0.9.1.xpi b/example/src/main/resources/static/files/firefox/web-eid-webextension-0.9.1.xpi
deleted file mode 100644
index c52b40fd5fe649f036b7a704f8a5edd8c82c1285..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 78545
zcmZ@<Q*b40u#9b=7#k-iwr$(k*tU6M+s<xm+Z$|bdt)2-zpuCI&b-abH&rwBRo8U4
zvK%B778u-r`F{iXzk;dBPg_eDM|TG^ppEN=zr7X#Px{UC2SQ7M;1<<S`Q){%JhI6t
z-eDOwg`ko0rY0Sfag9a;1)V!-y8gVIor02;dA+q!;R?%{<wz(k8Lj`~S)#MkCV@Wp
zHpF;#8={~9{KkI-%{Uha@cs4JWC_MiNks`5XoMVPJ_rM<LxV-LSly2hCb5jqwfDna
zTwVsJ|5}0A@vjha+hgEr2?|(o*eXQtJc4Tq*}deU#XTry&?CC}#X;e%QM~NEb!e;e
zj8d3P)@I_yN1e)c6KB;ih~T#Un_vNK9ibF;EVUy7Yf2jB>4Lx*>^kJH=iAoSIo@Hq
zcZKvKk&4R@8niEjq1Mo>y&&YS!{lzwAJhtoFy5D{cW2yF1f;YBag|pe+)XTQYAzz>
zgsdy3mk$O)`k0?!7n8V7{BHpBZa$HZFbqZU@B?Q(t<~h|b8^@Fo^m%y<^$vJ$b|#c
z&lr*K)60>_FXLI?oxas;BI4eEm)~B_Zhp?|B)Nnn$Zy9KtB^H&Sit~OBt<kdEJz(0
zygvhQaqtpg5Yel-#u5F<W<kYB*ef*Gt%kmglT?f^ZJ#L%UjdF@PJV8;4W2%3P7j9c
z?$KTn&cW1RA(*lj;l|W3FId4m5<kUh{|q4OgDHZEac9K+orK0yV}(S63=yJ{_q;Ir
z)QhKyprk<@MVD-bEQFvX&DGtEX@sJHqRCFOO{E7lE)tp}HN(OM)1J7tb~UAx*s3S<
z6mJ1u%V^|QDcu@VQerRtl$ktyyn7XxH(o)K{%kR;ir0t6k(!yfY_J10%eM7Rkb<h*
z1u?ZTl2RJp(BpVc1LhWY!4QyeaFQDk{jF&5=_Lp-q?y>6$_kHpM8e12nb>{8I>z!e
zURuiRRBZ;#G)@uy#)gNW8Mt0i#6-+tFe<{>sz&`Fo>C-ubsHzZ0HMhYlwrMtj$1{l
zbOPcZZnXB`kifsfFq0TZL}1P+nRX4k$uk`Cv9;*X%m>(5HKt)MEUgq~^l}LOjX$`u
zQIS~G8z3yr(@MHwbc`32g3wDtc;KLaMk_yOjU{nm&G=HoB3*#fpDteaaVJ|?!V(gp
zzITDm#GrzP2wiA?P2)`<jAIW%uqlvm*h#1E<o`q1D#*eMDHaFnj}KJR{n1adYfkJ&
zVjF_|N$$fK(Bj6Vw_CouApR4$*oPdSV5Vm9uKBof8ALA!ZZ&{053s%TaRj$Arwn2D
zK^C^v+$GKf;WP2had}ns^*jh}xnuPEns@Mg;L7bOq3sYpxGYkGgsApsnCi-wL5Wp>
zQmtP_MQ|?7gy9*e|8_A$whM5~7109*sT5TrZq%Mkl;a|>1dhO}VFFQc5c?5{+6bSj
zDC><F!)w@2)zBqHj1+RF^^D=>?cUU9tGs(%wzor{X6l69XqxIPVn3z*4xvL!?!Z5=
z)r^rQU7(t($au)#->#Q|yUn6<v>`W+&?)fyj>du_j>aAwMWutUg0vF|(Cs|*na2^Q
zPqdUv@L5{-)L}vlFTeLT2nDk!x+P&bGr}(B#y;j&lLSx#`Kbh9bwo3(6aLWM*v3B8
zEiXkjJ|4Go_hGR1^ry5X4r!Oxm3Uqk>G0B?zBA_thS8j}i;QaouP$)jrEl&g_kTp?
zcuSo!@MtHj|3QWR?}y26O%h8UaOsB+PocI5!W>^kE>aTUq&DZEy-|xt5zEE(YAhys
zRyLSnGGaC};|%2%X)u~rOFKtz`+ywOfQWGyUpRKtoF!?>5rOPWpU&q1^-_C`X{lZn
z&8A7?4*pEj-|>shPaj#OKoLH;IXTV7RHYj2>$i(%jlWB9p(YDQ=#2QKq90%Sw=Ak|
zaGfTpLDR==ejWO!HY*lZkDhD~&oIqgjd_(e@phk4wC9;E!u9xU^sEDMmZWP@nn-RD
zb&gQ^UPVX(jhPasH5I6jUiN{xz@$TiZgXhbM5tdffxFv>m)AzG(JPU!u^3u&Iv?q6
z0a)2!txH-9@9T==6!1Dfctu4C#dDrU*&)(_H!Z>`!L~TbI-ERs%d%K(e*<P|7J{fq
z+|eURCr{9wj5Br5_U49xnFbOnW2waF4uARgLAo@IiD4b`q6AI<g21`j9W0f97bmaT
z{h?;#OyHb)D+Z!o!t|*cY@KFhZ$th>NclaEehjTN^&3NzJ10QA#BikI`VZ{Ha7&Vm
zRq3)2oj5LJ@4Sf*5|Rbl5PWu-$6IgfU$=z0_##wgo&dTVq}$$2XB`vu?V%!M-Abom
zK&1I=y+idRROXGTz8UKjWq!!{FtgnZJnB}sk>WV@NfV~HB{XLFAF@uvqY=C9`MQ<>
z)=137=DpXyz37~bcai<^y*2j7qx%OYC|h(xdjmrcnFju+iGswyJ{~4Z2XiUeQ;aE-
zq?bm)KXMbd&B?dcD;TtIQsJuy0O~l3QVNBX#`^6mK^<#yM@4BeH@We#uo;w_OnwbE
zv-q1^{j=|ii#XzTwqMgv71A@A)YegCx#y?5(`$#%^f}xi-R+XL9B!zOgmQCiKhg5@
zh#j^I+}HApsD81Fd@yzb8za4J=#P@4`5AEES!KU|;TMCPMM?V4Y}J}fCfhWU89EMT
zt(=&o>?bZjK0BvdTP0B$=j^u@1L%DHmJ=;oQufs<M+^nT&vukOagT{q>8!t8{-(I@
z7WjRnd*m=WJq2POB;miWWa9m|=G`vbvNXSuX1pcl{u`$xCH~;tu}eUQOTg*d$Zz+H
z#}$+7qN+hngmjTNvuw_~WAh{dvb0&oKXmah0LEj~8w5=tr9FyI*>sbUO6Ohs$no(F
z)a^H!Su4*=8WGwqEGo*1Zc7MTR{Dt9n;E2vaRki{2@<EHF%M?VQ#6++=3(o=F{rLF
zT?<yl4k%vW(;+N5BDhsqduazG*wmOg#>adi6KEfU+V0MBPj9#e-+IMfg)$SQd69Gu
zdQNPJo8Bp$L+=Js)jN~*Xr*7%<kq;9aGkuu?>7cZh4xi9RUn@`*U%1oN1YO|hp#{v
zy{mx;y0fH+!2pLDcwg?-Ez^$+vd5jUj$?%+&H7y!x3C1H^m^Q3v3(RekEOP}O24F*
zlMJ7gcmApd?(_s$d;>=dYZg@Wi=b`!#{RZ-QVwDYrpW*e?Y!}BX(_qDN(g2vQfEEr
z1*L?->C^_`$m}q|f*^7>0q(6BIbg#QE+?<|ojoUou!7`XkKi-lRgyaJ07$L{@*D_`
zjZ9f1(w`aNP%HJ-iBmLSw-EY8;lNzXVf{)7AvZl{6o+y+NSe@E<!$g1SyI996%e=^
zBAX!)%#76&dKwYw-{9^+2!&ttslq_6*k}LwNZ<@vINQxysd@XtDTx!i>*T)*trJJ(
zmz)P&y2}t!sv@4^AWURw3!)pJ0<iOi5-L&Z8B{V?8mr%K1G5t*%Arl%XQkxw<ySP^
zkWh$?b21!a+G4o&3Ch9L_<Ng_OEXQ`EK7KO5<j)mHe-8Y*Cw-$pff1V-=K8Ob7wsi
zmQZN8vsvn4?b6e0j2#+m;;r;>T)EMuflS(M5ztS$dp?&6j3;AIw@=u*VKtzrr#L9?
zaCsa!xznf2-#hSnTJDCh_Z#mr=B7AHMYRJZ;B%u{<&9m;9TPP5I3=94wdgS7f8ZxD
zo+9Pl!3QV{$o=3gKuS?Fl*u9&A=qkSWyJt8FhG?BRTL=G+{Go!jJ3+*?>*o2zS!hN
zE?7L?wa>_}tBDhIGRlw_6r?=CU(s}qak0(ThvHcoCB|X~C>Q@a4Ph|k{2wp7uI1;+
z3_KiBo3W;K_r_}bNypz0LBlHw6fM^v!38ZmP;7j%9hFiH7AY2ssv(6iO`)_gR%{CK
zRfpmwTL{vTu(X>?i9`rQ+Xl1Z#;!48vu~CHZB|k3_QgedqVq2vVDMTP44QFBo3loG
zb_Z{7y~=C2T_;&M?;nL$>~RhbG4)h+SJfM<f3)X-Jw;}O9~xV!2@&P_iZlzeXAN^u
zWDIq@!(gfixDha{Wyz<#1wctoTizRiCa*>fOo^o18TM<)RHeU)X0Xt~4dPA7SZWuP
z2op#W_^4^dG~h18O8a5kY-Q{`7)}u!TfLS*L74G%MytgYD~b!VMtCuepI1M2*O3IB
z#OZ+WK4N=*@h*(yEnnE2$;+X1Mv3va(ye;N@l>E?WKYYRC-tTj=5Ksn?$EZ8>TGcR
zX-Uu@6E>vMxlECw)B!>Sjyg<A${@f6!=IAy6^?NnZn=3NWBR2w2dSV4p2}LHJr6X0
z`VyO$xe|7;!0fWvW<%<RP2$$2LtD<$SdzB7;y-65bPa|D(~+zD{XcKP$#s}dYe@-;
zior}qK`|W-Ti-uXyRqIZWTqXTo))be%)R7*wq1;VKF;})4}!wvzN4=jYQY0=e<z~{
z8(*Lw8R)O!VQ`s8GS`G8p1%=vBM$V8+r9>Lt2C-C9CYc?thF|*?O6S3)1vl}WW22>
zdPGIp6cPD5Qm_dug2R3_rFjpQ7_TQU-(RDLr#V=1yoAZCI@qKz(B07KsI&COGdCs+
zTX|`fB+SL#fXdOTs@<Z>d6Ai?wdv{M5#o?pgxdhwTsEPl>R%kC&J^GlgX3SFpWj-u
zviA02Ar5Wte)L5pe%RQ5qK@!oEjX}1J#41tsLdntMl~hXq#+KU3BO-CBi%x<=9TH{
zwS7gj1jI49j?&(21u{PM+@}D-D6&uh*qs2Bfz4n?p)t`;q81P8qknA$5<A!HdPK}*
z5V@fTTSqPxTo?03#aUi|fz#5n6wv1832r}8uak(ag7cq18}>E)eCyH*cvSsuXsSg+
zEM#Ut*{mOJo-W42z0I;qs`edVnTu+%#`R1@JT0P{PNDS8K$M0kfgugqGzH9)pkMO2
zoKlroT)BVz8j5Mtg4Ap27bA>B09uHMyaKe$0`eR~QTodmjYD4SIH^zHOS~C&jz}@{
z?&S{@%F*yJLD@eGhQSKj9>veSBrW+graR+VOctefu-pFTQD8!hCKZUlcymHu+ASLU
zLoj+sM|E-~?mv|sD|*hlhTwhWLq^QXQ(e^@v&Pj+@zUO-OEp6R2d>rqIt%MQ@M81p
zDbK(+p=(f>@kaBcG2P|LH#L&FG0<U+#FFDpsVkXBPSYn<iw(+O#F<0(YsH)R_zG2N
z-9*CO3k)J5_rqr^wk)GM<xcQtCEb75wUT?pxav~M5p?lzJPqWeRt04!ezUKYn8tCl
zuYM3HB~z-EnuIXq5sL(6^x<{R;OER%$?J$fAB3!Md|SupyDu<k>lmtEj74Q4CHh#z
zFlScQSK6pa@Sr9^lQG7Qf7e%C0F`@oYt6Fz;w7wDXqg!X$_5|j$*WXx>Dkey%7bDJ
zGFb&0TPFC~s$qUtHvE}pF$4|vGZqyTAug0y3$%q|r=rur=fjcLX~U@=5#THM@XAu)
z$b%v_56QT+e>n>k9dfp`nWm4#MOtWig2Jx6wCL-X54M9mhOym4J#4KE2a$fU?|O?I
z{SoM;I)k!6xOWcuQ#EZa1Nvt6`k-t{Ur<|QZAL#<nSQjG6!ru&N}(U#*GU4aimdHV
zel&N~BG@8PFB33kG>-|gshqf2US7Q{wx@g9N1Qo15{3LMl!N;|_j+)JEtPjh)Zt>l
z&0lYowHjw?z%yt#2BxKg5cRHJU<#C3rBa#tiJ4JC?P~exoVHQwC{EwfS~U@+n%KgY
zsAet)Q7Y2iZBq6n)BmC!)iYCEzeajg6%l{SDG+<mis<9(I1aC_$Lz|PE0MY^ni=5U
zQHPSRLKa-lsIm1YgVe${Tb`WA*?0t23C*DyL|_1>2D5Sw2kRX|6(BN(2_}JnwqMQS
z(!TSLVHk&&P7%Vtj>5eGr)X;ti)s^F&<i{Q^P-q%0AQI-ytZUa(%|KNAZu7Itxp^0
zqorc!hp+06W=*q0C^j|Qc#OQEn{oF$l>B9;J$<}FLb2O_K*Ct{mx!B3kt#-eRR4?x
zI254hj4EOCJcuqItkaGCe8MbK!oa~eJ=qvRAwhCunw~VzDHgN-OyyZq>?(UyP?_)d
zO8)$sjEq0!p8l_Eg|+pNR3Qp%QYdSfCR&K6E1a^GjdnUYC3gBOdWv~%r$9(Fiq(9?
z;Yj=#9?E;k9#X+SNve(iCUM^-_c3U~;;)P3(Gqgb@D5n^ejpSKgcjW4uv^@{Q>(o3
zbGBnT^;y6B%Y+GPuX4)&q%;$;>FIFjMvha32=`*!c4%SJ!&bp<wTdCJ<zkU))(5Rs
ztkxkO(yGl(Avb1}95%GkW(eU#KO*o);Sv&xBM1Hl)&w^|eWQb8E10m4x6YD2PNk-6
z4VWIx2u2jPkhZFgmN`=kGj{+@{8e`HtyXHg4!=jYSJ7u}^DIb9rJPE-Y%H%bXKT0H
zoS(}Kf{q)>Gl-#;l0<IOX<Kk7D_XM^$}c7HHw*Ho!}KLe6M1<Cc3hppCy+_8%tW96
zAm`Wq2j%0yaLsl%-TOi6tDONX-%S5nqvH}a%k$r!b%(X_MN75=n%ZE^rp7&YBw{VR
z7U9;JjQSBY^(hhSPttrAh?rT$JY4jcs2AEQOZ$_ZryGJaO6(5=d_Hs>SqD4%lW~ee
z!g3(8SA7-}CSzpdT8^rmSnJF#+{-=Ay{n?K2kjG`fvy@g!t$pPCoWYf)BZw=LIk_p
zKHE0p0&y8x>@$U(5MAj7__q=+Q90;0t|O%dzL3^H-`}P**DT@9Sw(I|ly&Oek{MhK
z_wg|@5_^^6bV|}Tl*oHF5#6j&qJtsQF&0%-{xt-+h;bN?%%x+s@STXu<B30B@ZJnu
zE*s+~^{myo%N5iXrf&wn8k^C}0nfp$tN59<y1531JU`+94^~;c7asl1@Ca~qg>zQ|
z5(h5W*K%N0^)%>4AtU&gzF@ge8NktTff!8jvH}^CV<tez_C&C5MjACwkocq*65UI1
z`C?O5dK$w6ZsAdRI=m#-Z#pR*c-lYU63jcANvqt?WTqi)22pd+*Rf$GaIAZSTcnse
z#KRwwr)x(P15cv!I$Ev$u@p2JQ}i7~mVK4(6E1U)B5S8IYy88R+yrqtBivaXF;REC
z!gIbP(e+;Q>LA{2@ajM1gGL;|zo{ml%M!A8LQqJmVU>aUGkA1$N!xy=`X9EfnZ+$$
zB>7@A|ML0xeg9p%u3=;6cIhr|*r1`g{$M&3*KU7UfqrOEmS%QzmDBE3>`EHTVLm9v
zR&}fe%-hv8ZK;kKu(T|1*EfcMcc$ag%Wm>|gp0Eu)zIi}DU3eZsK91Y(U?5lskg|M
zdGKYY7y1ZG%;{X@h6e=aZ^}pMo-bOeA4X^3#&Cq*1M$=;BED3j;@6N%<uXqq@fXcu
z^%con127PPkJBW_Wr%6yiimDR%mt&J$24F(QcXM=$aGGE9<I@~h^h@P4aoO|NA4#M
za6K6JF#o`!HL5(mg5$p{t<|nc@jgO^INtt+TZ(oQ;qsj1mN3_j_${=j6pFqr`na;&
z(Iw^?W96mKIX@>4!dG6E7gYlHu=GQ8dg_WZxbhPIA;<OR!uq1j^=}&mwY8l&CAtfq
z+j<a?hpP|N>a{tD5(8OCTjz7IdIddJIS0w?)|-G`4%1Xf>FgJO<J0WVB|~-3Th0k<
zRgw^e$k|~BVd_Pwd9u|?aZMZxJH@>bvUq=JB~J{;{U+D;68#E@r(<)v5)aS|{ir09
zEP{<TxG)$cIUi9XYyN~c_r<LZ;YI0SyqlhPrxi#nZ&s>)b5w%mewTd`Joi$>pU`ju
zP|-MMapLN;b;TWuF>>GA{dY4~#>1!6R5iSqyzE&<GBGqZi)C~#l!5LNCaI2F<C0P^
zwL2f;p{Byft75}B)3kjCMS;<Jx|X)@&g`M9OWV1JK~*JOzZA)VGv<k@W#@i*ezvbf
zP9D2kh49bAL3y{RBrA}OR$i3rvE;Ct3hS$!H$UJwYo|^{acYL2<5@;Yh(U7l-oGyA
zd2)C)))*3vV-`fP>Jfs?s|?VVUg=1HXH%N+TC{E^vXtPF6XprZEo|{5m6yhr=wri?
zVc3j1Kj_1IL&o7k)4Aeu-6+C^9fB_jHw`<NYuYtG&bmE-+`GZysQVH%y_2pdkrrmK
zuO`|neR`Hs?48NlB${%&PQqog7wn_JCd3gTh!*BJ?N1Sy-|^0+cR2R1HMbjgoK4l*
zI%9_}=sG&PQ3T_X%%hG{9=yt`auS*4nytXeZj#&f=So2ul&G9`swNq~NmrX(DUL^m
zcO_5M+)95GM@isr49hraM@quF`1wu0&Z@!p^HBaKLm;9>T?ly2bB%7U>7^4RTO{;O
zI=J>0_%?U9F4g5BU3mz{yLVb!lVR;>LN@^Nu2<nK)55~dH{OhZf>=cXi-z<PPn$ec
zE%V8`rt%Z=jCgpPUCwSEAt*cIhZszl7c1?uDQM)L5Vyp}Y})C@(SJI40Zeg_QcZZy
zwhzBmD#_r(W^mOpnwV=Tu$ipH=v(rj1O`hHi=4?BM5bg9vbF7)sb$rxT#Gmpv;VXS
z$+gjil_T1_7nFIa6cz(0g*fc&cc~7Gd5T6V;My$hlIcp)Tg6l(ER7xyWUaxO(~*f3
zR?5?%P{H87IJpHOu>Qf}nseFm4G`e^;%SqoLR5M<nnmbUhZz3=<4GzlDiO=%7CUMe
zQTZb^&bakyRiQ(InwshVocB7(E;}k)8p>oe_3EfoXj@6^*}j-m|8NXnAGUK}MOEs1
zUu%L~vNTjUIO@6bgE9;0>#v^eFC@oGwHgEcsc|Nfxk^VAf&A0<Z#5nZT-@n*Ecj3j
z!CSiTElsUI9wN7r`MgEY$B(JY@2|RSF-cXaG%n_n^PMRPbEndj!rrhks+af^oy%6g
zbyAAGJFH|zm3B!$jitKMYoWk$*`UQ%YZ{JJ(yPTyWC!B`$N|l4FO9JuMC^F$5S1<U
zN9#$AJ%^&Ws+JrO6g--!MRXv5P`ah2FAM_d#C_BmJR56BOA{mt`U<S!qGYE*V2fC>
zSUC=B{?N7FP(T!cM=v&!ojY7DU|eAQ;z|BiW6bxUpseqlX0zC<9C?QM`T}lDfw7qk
ziFv>Sc5qfyrMNO{YzcH{2GV6lMES6NJiQ^McE?JLwQG}#?lfru7d8I#ntOS5A&($f
zBe@kj<zaD{QOvM6gN(lxu<j?u2mKS<l#eO!n|yx+TmAOO;}>eh7|9#%eCGEo36jtC
zJMMeW&=6P8Cka!0ye*_rpnP`jFEwmryY98UTT66(^W^EtaAlRdgezG<o^hmqNFDmo
z+r?k3nxZOaCnza=9bIaC$~ENU#0%F;WLm#RW~g&V+Qucr=uEhO*p)9{-u#FM_gO?>
zCnHHw+KDV19<&@RJ6E1(cWv&+^J?$ULXNLFy!PH1+Gp)2GI9x0Pf{MY0+cNp7nrqw
zSW#B3xX)9$Pq4CK8-4Gi6*h2U>cjr#7)aqzCwOz@k<FrnXU=3b*<H|*Q-%ztx-Ubl
z*F4j%&tW`hQX9xflSi9)7yMBq@x&C{M+whR<RAtJs9{8Xu<uCxQg74O?M&k)Y)E8R
z3bIPYbYc|WBI63g$5pkk{@fjw;KMeL|ESke5O2!twkw{4x*dZYB}QP7z@la}^;C?p
z&18f~HXe3_>xpg*7IeIf7`7YD{bQ>{3~>Mxr#*0uO0i^p;+Krlac`HPNQ%P?OsnSp
z6&}?TSQ^66&!s4QlEJh~@Y(sbkjWLLwKXVrh)Y?TN|qyUVGC;~`<qqkADk3iD%6>J
z>g<mas8-7@UZSJCs9QV@30hnWGc=MZ*S+~%e=pnTZ!!(^#^Pybm38wsz+&VY`*0qS
z6VLy$h;mNI)?`}>UdS=3l!a`is^*=i9*ULn_7wOS?2h#0R#=cR)W6I4DiDR5P{ue)
zg}3^t1zXOcogN#@tKL3;ao{~gScWe1tfq8$wW%asM-SAUVetmc#cY2i{Mz4O?y~vK
z%Du63jhb9z*Ce|YxvBhUaJ_qT(Ogi?8zG^if~9epha7lHf{gm)J5)$s{eopuTZ^f!
z$#_+!$FZhW=hHYw3@Q)sHBRn%?q{DfcDnhZA=PCWm@th(XQbj5$S?NtVV6i7ZNOTZ
zr=b1a;orV7Urh%U`l?2}mBdzZeC=oyA~1ROCZ`iiQySwB_|_QXilY_nTa?oldQ^gi
z9h2%Rd@O!Hxr#|gZ~Xiweo7e5h#~Qja)cFn2)HmpLKS>S_#4r+dlZAq*>I!c=yjv^
zUF_+SO!o?Vvq}Hi`d#bk!QIVG@Swzm5+Cuou-&_f-pFAXe6pLsg#R1)t>V8|m=xc?
z-Iqy_@?;&LEuZAbI+R?n;K1H{)4@eyaM;A@YB#x?8tr2OY#x=Am;|489#FRpU$m=C
z?7lvHXc=T;sHC^Yj-1$?vq_-~j8;Cszz33*R{pgfr^leehNAZDeW9vQs01I;<m|&r
z2|c2qZgYmP?PQ2mc|ToLKC4~t);}NDlMKjb=%VPby|UIvk<&+fo{p6qBuL?YE-V}@
zcy0F7%@`vqYtDr*Edy#l4@ykF`yz2+r9!`YvAHG@7^GegAH2M}1N~N!n1Kz1`!`Oc
ziQH#Z@b||LFJoUSP#gwlhKU3$4s@POrzGz^Bw8Zr=ILTv*9HIeLTlglEp~nCFO-k*
zi*>SyxPZ7@NSoDi=o+O7xdM86fN=itWjgw#@9{Yjesk#Bc6{V>doJMnh8djUrF$7F
zV1?ibC8xah?eyV`u~U*ViMk7MG(4^=UXlABNsj=x&rT`k)XC9H05={IO8mA_?t`K)
z$=gr>1L;1-x@kRF*_`tC-6hPsVKz#9zMq9la)I)ojN~84sjzVoo6q@DDy_cQJGYc%
zz6}Q<q)2K=;W?q-A;tWl9JSZ+X^a!wlb9(u;JwJzzl&WCuUA33++QfXd1pXO+49~8
z>@(s57V#G3dJ#+dJ)^kGr%b^fpb{i5+rtv?H9i{hCo!qdXJS5^&NtVp=gy(^>1RVM
z?zeJ1;Bd_?^r|3__{_;4lZnX;W|1r@`FTk&Y08OC@7)Fq-pn6T<_Z01MEgzsEk6r+
zytsqB%4DMO5Bz`J_$@&gmOI+PMO6|-k^Il(@o-T}?$`nLc5ZGTPd{f59~vJUk7Jh-
zrcR%qwQ{FsuzQzH1B!~Qt@r409<iV0U&6TWP_AxODGxSxRa&TM-3YDx+2IZyY5hd~
zXb_AyU87fiEx~X|b1<XL1fG_wKx%v8{Di?hK`*_!h+xq?uX^D=d?~7)6c`(t$Zx0#
zLRx}E5riL=`le)kNIJzMq5utbRj7OD%&OyF{9r$}-@&YBz+2D6As5I_V;#NnPPzv&
znE2D`{@LvzumNo_Ey-K0l5pF0VA=42d<K+30NXv4M_&d$Uj?tOHKdJIkHtZrx^i-7
z%cbq3pi_1FYTG-SWhDdGS;rM+doYq2OgxVW+0;(ma^MbbY^Njc*NdHDtHvSOIbO@S
z`tcIJXAha%FSbVf%YPH&jzaG(*FYm7HAXt!@36|mT!QR0BBz=&rU8shD}S+FV|w{O
z1I;b|0lbwF4G$C9+8BOx8h{16^Pq!1>6UK7xHRE)PBLwe_kJ$#4Kt<~EU@o$^LNn%
z#f&CZ%OYC)-yZaCAq-Tj$1ek;t|m_-bDW5nK9$Fyjwc8UFCwSbEJzmrRE4j#3uiYQ
zwK7NsodKfNrhA&w^ljweSZqv&1r-m?AvqXLXi*RCM*on8PLmU4N-ek@*Si>NZhk_L
z5`JuII|clCRn+PszFlbXt<?<}7nMl3sMveWtV#ILzREsDh*pAFH~~~$06o^r>h<U9
ztnX2wU2na5jL&^Cy|z)!_1CDOSX;}LQ2$Cj11C!}g2n<IlktqKUzs9omy^OWW$)mj
z1*QosOQrhJjn(MNSwq`9&a;*ciP>+Is1WjB%2IOvx-+8d!2&x9?YDW4!dAd$(#@z=
z1aZ@&bH6t0JxA<%V~txsu9nJ91nG9DAG0zHVKopb`ocUr_J+K=(6jE1e?3de!a1tm
z$4h(eGzyFTWAC>ffYWrs!ChXxId{=3P^xSu-Es8@;`8O)JNC^*SMYzy)S4t*lrlv(
z!f&b#ji4tz)&6>762Iz_+GI!SX;%G)E&lN1Dyv?G-k*9-?V|tbY}j?hCDxpnbamIo
z%h`Tp3ws05Cc&Ewg*zw~m%6KK>_3&>E?EKx&{hFB`wr)B<Jn&*l_?rqsITdg9NIQo
zi<Hfl$8vE%Sz4IGdHe~i&H5$(f)b4_oVFdRplp2u!3)%TId#;Ja`<-E@Ag|2>T<Oj
z17{pJ)K2miEKh1ye6_@6dGY+sHGeRCx~AfTFFpDY$`1R}@uJr#Lf43%m*ft1CG_HQ
z*U<P+*G2>wmGh^VPYFjX35Fwk!2=$3^Z+F1U{$EZfC5Hdk%MJ7<gE6yOyyb4mw@DF
ztw~qVNl<K@QWU#f$M9CP9%jqmq3SSC!Gm>^b~beTwL2$4YW(ZU=b}DD-O97=LUcM8
zg7uTgj~+YdB){X>mB{Ttqwd%DdZAV5K%dtWEk(0DMYDUthX%r*zI{x9(76zbEF;7a
zuEZjtF9P94<=QxH?<*Otl?g@hwEXIwn8M0G4n!%AX5140a5e`|ab}Loelsx$727lm
zeZE(rc)jkIy__f!-P|2b-ZQFMSxU)U&Ej`|N5yS_Th~3xAE7vBpd%B;_%wTQ??WvY
zbYUH7M6BCqniF~d%S^>*p6tJV>K9g#1eJW!rt<HkoAVYfsge<R0@ot3OgX9C%7JL!
zkzSl>Z6cpRg;UHWuFn|EOeVocQ7yIPiY$h9lU8<W7A#UxWLdJp3=q?~P#?d*Ssu-%
zc<7-n^ETZ<e`0Pmc!egO=n(S^6EA@P9%L_Rx3Dj5QVYdakH-~bI3YeEaH}Pto2^#7
z`Z+?;D<?yYZRv54RyxI0+tS?cWuVpPMnTRWI1E`3qvcPt6HCb(+e8I2bI`ShU-xGP
znlK8_d}U?DWAHAD*W+~|SH<p9j22UWjL=o@+rkye7jpMEGg1`=3U$C^0^j$>+h@#W
z-}lV|z2DQ<#a|{Pvb(3ZUC-2y%cY&~;BV&BPe=MNmo5QnE>N+bZ?kgG>COzTY4uTR
zS4@R4H>m~O1;10HDEx8-@H|p(^|)PJ;$H>sNv&d3#+Pxr|2%Z~Luz0zzY^nAun*@T
z10rQL#vZ;srPot`g~JMS3ig2>PP>+bMdAHfj!Z4zCV0U)v{;;!0ay0oBjfX<#!(Yb
z5}?;jHJ-c+qi=DAm&n5O>x^}*g_Nd|K5Jx{o{E|ROep$$Q&h1WRGtOIGS?^1Y>76;
z&l0!+G#lIEc3%W7SGFJ;x(n0WUWV+P4{;Yq2oG#azx{&NYpkAeyp+ELQ;ilAP%f@W
zie08t_gjEAps(Wt%Kk^52EL*Hf;=vEYwOq1IRf$QbpN(?-r?+~$J1I;7vc*MX=51j
z;v}F)&u+7n(7{16hdOZ<Qa#}<xz9y%zNBg1xGNDz+X5$c<5OV(el0bgA*nh})tu~^
zRK)G#%h04S{pd8oSGCM0R2%!(Q#_voEfu<tYbHtS1X$E7lNc~8ypqpbiPP9lH7ivR
zy0v^ydB5e)9W<E+(g%p3Z$lIG15~R>FQe0$_zH`Us^DC8cFS1!l~B#sYHEGHc~zd$
zjGi>KmyNB#t}nBq^8wywoE$Lvj@{f96dws3GhgpY1Amv-<_6{lZVElUZiIOCpTm)K
zA9wl;Q8S%8+(|Fx;3vGjg_!XRw1BCP&fdPvH+vt3gSUo#ngeYC8h~Je?%zXBTVTky
zIz%z@!1Om8WuP%D@-*zuBj}U2`bQnF2CmHT&LV`_&03`#C1f))_AUk98H6Ml0dqBM
z1H1rHpjm?OnI?8_>s?T1a0Mn4ETXYN$PSMD%5!q}AM%b*i|unh{&ML16kus`%P(u4
zx}Rcs=H<o)u?`(P5m$LbXFxvSQ48FK!Wf3U)-`nLbM#7K+h644xqVSCjC459Mk2rL
z8|E>!1^V1extuUsY%>Y<d=yO6vM#%1A}E(FQVat&q5}h?W>Wx#vg%b+BPMvNgN+mf
zdr^Z*ObxTIhOPC_s~vY>zk1*bmF#g@FhW)JnRgy=N(LkS>b#NVR<mqsfqT_QVN5^w
z{s^&hM?ZxemZ{%pnxrcrzX2I=K*m_RRr3VR-lcz4*ijRWF+s(&3+el!H1u}-tvyVg
zrUk1X%ezbNDsp`hl+Qm%-(0M~Z+4$ES$cxRtav<?`>-;DNy$~LI3Plqjl*6X9{3rG
zFJUlE#CM{>9}wUW^a#6U+E<(GVV|=?ybf4}yo^aQ7cu96s*KH62DsaI0^0nR)dkg7
zMxqCz(k;}SJ9TIUEb?w<!sKITGnEeyEp6>7FT%^75}<OEi>E(+id)D~U257#j1#0o
z6>!h#vv58WXCx8gw)^R)*Gs$Tr^lAy<63R@a7@56pz6pp3eqpS@))LD!kt)egl%D|
zLN1%dnHO{m)=xMfxW-mmHs#7bs@*I60Yb6>ghIjmGQHaanukDnhoc<!>AO(Lqkb<?
z2v+_$O;K@!zOXj(6l+(4wLIO!>dqv2+KlTjcLNOe9O~v*3zf^8V+_sg|74$amRF;#
zj|Ag#Z{dEP_^8+-<x)e#j&Gh+4RwI%q51aa<BC>QcbB0Fu=+^5>Mb&2HC47u=-_vm
z`aPLTF6)ovaVdl4XlNIF-EzoMO9=hmy(MxyZKN2U+@=<WxoXSf$9$u_3NS}Q{az+U
zF?noO5^J{UMpR$%&1gMYNuYJ?@+yNtyDkPIBpS3%18G0T2Ow@Wr}WR=3Jr%}9_zI{
z?Upo$BPzS7hU+5zYPwW<VfH&ZtB#UxUG<~zHL|wpo8bl!+6E1F=U9IA>aQ;HCwe+%
z!0p>?lO9OG&;77}aY*fxyq-05ZCZz^NACIp-2?X$E9*>bv>rFbjD&=hD#UkGd%EKV
zQGz8AmXu%Z4~-B+zjd)ZwEHIfYwK_ka#8ps9CLlAd5zU?)yXckd2&vp;4#rBSY6m8
z(l-WB>$P&jcg8nkr5I(l<62HI<hU}^<1nQZZ<)`g_*q%X*8J5dwNN6G0CSSNjv-1+
zTzhJ22QaMe37~Fk&Eve6rzV_9Pd1M%<E3~WSv3FTisM`sqvBvq&ngc3#W$5u8+|eC
z+J>wK9I-B^`PL8C<?efa2kMJ&3jAOFJHA&&aftjPZi<KuuG|5<o_mn)X@-RH+ln@8
zj^rQ%x46^dEst#(!vur?ALngzwU;y0z*N6Wzxle7G?*TOcrQ*36KTul3+X18rP|EJ
zOZSZbWME+hl){+c02@!DK!`Odc3urjXC<^WLaKX+-^esgzMO3Zht6;)h*QNm^tqy4
zyJ{f|dR(nFnwGE6T$B^FVFvi=eAhn!GW_5?_<RcWD8hV8uA6hMHp1&2olcCj^H^x*
zYL2JrelAO&r;2DK+!Dx#wSwP%iJtwI!h6#jU%xsRDfXbVG^pFA%a^E)86MLGH_|zM
zMUo8-A!jTH)@W6bR56t)*HD7GDAPOtV(1UK8C)^GU&K3PqZF35M0?Apwh5*>jF$eA
zO{wEAhBK`Bi3GuC_$F_0?<GNG$Gbk;YsY^F?@%sb?TQ3ves^g};f0Y?aNGf_k<Dk7
zpy#kIaa}FZm{J~9x2E8o@3H_~KOmX7f}b_2upNywY*Sk|<*CXutDu*h!gG8L=JxGv
zc~==vfkDQNNe;V+$C5BUV6Q|co1@o7ptOQH*2jw~(4{C@n(_A?f9>Mo4qHaNk=^()
z9g)awm}^aBX7khD8t*w5hMD|TwB68WOdI#>5EfWacdfcsI7Tzu(b59_g|PlR28Zvq
ztS8OI#G|B<aO>_#(++7ThN!=j0iDMjS-)YPlS?XnTmx3QwDvW_y46h4;r<(K>n<Lt
zB||0XEEhvz`|}@jeCG_%n*POy*E~I`YEch%WLPWC?ErTzZdhxrVc2(WX%Q~TFUhCw
zmF)v73gurxQq{walqjQfJ&V2k3p|+(_pLeBF$=|NHJ9*#bf)DiD6_)b>;prA!Ysc$
ziB)L`lvQDUIJLkWa@-;3uiX<!I@(1XZ|+R*{!4?o=DYUFTmhF57cbqMVLfn&b;6)L
zUC;-u^U`9{Q3>roq}3@DZXR_5B@@n0E#FIoFsatdQbNbZPh=cV<EE733AUgn|73>;
zj2Jujy~8*(Uh4m}z^sMZ5#^wV7AeLYoG#AwXLxC@ab+v7&8qf1OSY`s$Ow4S^}b=6
z!+&{l-M4omPz&;qKBgY#u|x2C=kaSn&|}K>XKdAp_9f>L?m`bvRBP5p&B*fuBSZWr
zYf{}}Bx7xOah0wyrRzX8?tm2yF}QV=&$i(ay!G|lvqvwlz5_}$3EBF&$2ekrFIz#n
zwziQwB{V%*!>5(&y!kCmJtf!i(iYOSQgL+T*i;o=JUWox50ivnCMrL^<aw*)_Ht6g
zJ9>cAYlnnW(F(QT-aS%)lJzjNusaRU9w_kD62ZGK4S-Bz$D6Q&aRx>V_S{o)AkA)y
ztW1G3$~#fPEbCqmGN1lwi{mf4C%z78<>@iC)e_Y|{mDRo=7_kU1vV!b7ml7ee9p&V
z15j#bdQz@if7HQzXq1+M?ktiLeiMOE96m8#_%~ZxL^%;EkA8{#y0%A(-4sZP$wN<3
zmQ<odA_f|1m5G+H{7;y+`<QYtz&vr#M+AUv*61OS6qG5Jpy)+G<?ocnGLzpx%3(>|
z$ICRgnmK<cLO?GF#8~4C;s<A_?6$2FJSzw0Ai%e5>YRIY-L+SaRplK<fV^}~r;;fc
z`fRqXfx@-feM`h9t^j}Pwdm_X0y`juRv><#X0v<%e}ebCze%3^&jF4C!CTbS7yfx!
z32et<<hT49G;4VO|42Lw>p)e(BIYD9147x)RiD(`!`pJ3-TH|UIF?66nryLXm=P#k
zFH`#~Pl$qj-0M$BqE;#QzsZ$C4NaIW6=hlv0cjg4R5zGENw_NK5`?M;cU(8FM#R5k
zuX6t8pn7aWv2c2>6PDZtl>eoY{Diu-uNa8C^vRnjrDT%oj-)Iwt0|-UTxoF_Ih00H
zR*N;oo8QuJvBp?!^4%#t<Gt48+I}m9jLs}>p0uu!gqjiz_XSK6t;#i6Pfb>5|AjxI
z!3{<9mQbn7Mbo|c7h7iHXS2q;F{Qp9aTHd+-0>$D1{nmdn#6;iVClwkVussJDb%v4
z2Vdn*d^d&FXss>MZA&8<>20_xqb=5_sNT6DEC1NB|Izj%1@mI@VzZiME#rj;UgeYN
z{KCs`O=rfjp-@}OjlWDSm6d+^F*Y?>hJeu`sWRob-l9;-#LAbtNW<)hDh<}c$RUE%
z!d|<!X$`Bp2x$(d>Qh4PDeb!Yk{<Z;Lv*hSOI^v9YqC9}$?CcSTdM8|CS^8}9=%+~
zVEz7sj6EE@^eWUw<@oeqA-(i+lFT_=f>aA1xr5Hinbq(1^<$9jI#*TB<3(KdidGJO
zYb857IiaS!ly{aX@}Q(gBy0trdy%=?J+*ku?S25JTa=5U_ttmkdIzA%0x%m^O_cOQ
zv5#jf|Dof$V$+t&LHq84z2To^mC;q%1KH)W9;AK$@wcYf0jg3fKAp~qNL67n>erf<
z5H*OtX_Duu=!dUA+c@#8Wre%$LHW_Rljk?_Xt^d;j&8Q1PCe{8Lj1(ZQ4N)0o9LfU
z?68rlB#i0H43o93!i#yzmQ;=He!WKnX@w#D08oeXDnUN7s>?rOS8;Pf7pd*9yyO83
zI+<*KCsx`A5?5Xs4^+&pGE@u7gv;!E%HyEwK^`=^#G;2@X*^7a`NPgV6Brj(w_(57
zHnVBmE<_W<(rK%kBg7lF!=B5&^E@JyB?VYmsiCi5fm<@jEM>1bduwt`U+2|AcvP-e
zuTYre&B4kpdZT3`rX8c7xvY5K;c%1{Qjot00av0{+_{Bx-k9d+{~4A%FKcR6{(5+P
zkr<a21Kz++Tt&tfhI-JaYN=Ayxv#&bI@!1bpS~f%z`nng<zV3)N5|GhIKaT_$-%*t
z|6lJF`v3J_0qsqkF8qBx*QFa@wEpdJS>pUP2Bl1!nHpRh20QP|nEJ-Ct!;5rqtC*u
ziJJZhzBK#T3aqHwL6r$2yS*^@4i?!mFfh<Cs0%oivyWe3kl$awN|C%Ik9D$dTSkS^
zDq+tW89FxCv|Vg8OGk0i-0(ND<<y(DpjV7|IrssXA<u28btc(4<fc+?t&nl^MVC~u
z#k26PDxg{cD2}Kh%zz&R);R|fL=NG+_YsAEvP(ParI>+As*h0bn4>Zr1*P|6oSOak
za?541TRIPor~&(FWVxj>`AEs9%riH}>83&Ltj%oz#lM5_iWaY*V2@6`Mwpcc?1bUB
zIm|gwuf~2t+C;g>dlKAmE}H<@TR7Bfc%~><zm&Sj7X#p-<AE`8n96Lz6?~HHBYb?M
z34bR^WeF+j$qVUts1;GrGN(A5RmBSi>fO6bigX|~2$nng3h|8V_ro$pi>1o4%sw6@
z*M_xA_yGrme!`6n>CWEnS-@`PVXZ_UvnJu_Jt@NV#B$rMMy`IH?57T~BmjD8$Qn<4
z&vL52(&GmKEG_Z;`a@K6Mh#NMy;IOD|6RobvA?SRJ<-*Ij;cBvn5kurae9JtZm17K
zb!vD?d%aWGy&>@-8-e52VIUeO3A<G;=7LdQ<_H+<l9b9kYB5YF9E^AJwnGuq35)0+
z^zV~4wOsu|vR=5Ku}@D=v)*xSe04=60mc&3#;j)3Xuj$~bvy=9_qvchLUk%nc`JhB
z4g&KZD0?(RHYYC@*`?kQy`kHdEYL#ybx|mQAl~p_1122DBGFV6XqUIJpwKM|qpQ;r
zzP}-@Bg85Y99iF?PjJ;#kix!v3D>RMgUwHC+-|$EU$r>b<jX&X=E9p;u`Y`J2rZC*
z@Qg~zN-eyh^U%h%&V8udpBz&($8G;$Ss#OZc!Br%usY#c_wIf_yuDhWJ{?>3o(i)2
zmOewi1tJ`f#ou4@pIUBUdSOH+MFN}bH8J*h;yvbmT9pK4My42~?h%@Mw?5;UulOdQ
z&!`0SJWrMww2&k9!HPzKq#{s~-9iSD%$o#RfHX?Vf}=EJ|9*%~K!13p_@R{02vau&
zV4(zY2o<mFfsFwi3cWD}90YBOhY+y}MOb^VrxguL&Pm0blPUJc%1r{(56C)E?pc)6
zMaZvQAV2A|ibT*#N(*33Vw3SoNTm+=3$9vqF{4G;WTa}isO$6+auReE@NmhiCz;82
zVPCzcOT;t|wWSkAj)lI2$C%HK;ZAl<lc~mV-IvV}#X~i+?p(;eLVwJ-EP8wUe3ZX8
ztO%@szm#vBzcO`_@O_=H*!SI^9n9U1EjU~szErLpg@cTpIY+HRni%j*#7hCl#Xp9`
z7RPX9qE&)aa}`p!hlKmFP@TBPhNzH~JdphnUf#D-797Te`1l3iUS@;@c=>(6{qy$y
z(nn4BMZtMxQe>pdy<rHm%U>WWX!m5C<g^R+yx@A2O7z^4s4&I3G5U%sTZg&!hs&JN
zifE=>2oIWrArO*<xv|Gn)@H|OMpDe;BeBRAv-d?J&IDqEht?dbIDQo8$vdyBX9>u|
z=)_DIO_HFrMSb~4z7NJs>3&U^(C3YKbE}|j^457*E{R^x8}m~Br0#jLoWsVRVHPuO
zjbK3lwcBIDZHT82`=PR770TdI(^C3Yg(q7RD-QkzPc`~M%L}LGm$b>Q!W0XO_gKD%
zR*~|fcd*SW)0plHw~3}xVu5s;c|cs4K)DNyjWO{vc}_g&P9oEShdi^0`CBdm2K;s%
zp9U036N)lKIL;tE>J_hsg><JQ{1(eXj4|`nV1+n@T1?Ynq1sO?QWbtnnvHy`ER6J1
zP#WuilrlM~^pt$0U51(<W9*zg^Nl(Zur4M_Kfe>0^47N`Dm7-gWq>6=#KnyoAwmpR
z)WiS?6H%O_^kUg}a>tM#x`el#?Vf^r9fG4b4kdiFG+{42JlhGugN2;=j0r=^`rxf=
zV98%;XJz$O>;GEk6AY=%{vac&iS9Gq0f{0MljfP7v=}_H(Bg@6OV^x~nqiCv@P=?E
z;A@&V4Iz3iHg-iob}QL^3ix=bFAu?;JVO{pf5DxcOBjABck$LerX1Q}lxivBlyQ$c
zV`K0=0}dsFJx5L0<(<3d6cum5#&U?H9G8XUZY=-}(y(%%oH_6YZ;e@!43R*6n7s8x
zx|gby$U&np(W>X9JyN1rF4#a$A|P`{#%}P32@Td6^BaS3Q|ce)sgMBmD4CA4W(1}X
z8gld#9hX$MRZmqmCCm0$2JQgi@!0>gxDgbaI7P11QOU9t9i7TID1UFJEjU(XSo0LP
z)`xU5weFoCiIZvLaq)-Gcv&}~o>!=H*4D+%^Js`r2zf1N?dW*5K_^Cz-L{E$OLIv=
zg!n?SQtu+f+U<-sc^UQm$haSh%y?QJjh!_0iphs`!)xVTYf7~TH1H7w*Qca1)QYt=
z9R(RC>D2!&%e%bukU}amsI8gT+i7y4bUgA(b57=D*a^aKEjm*7_)!m3j<nO69quA)
z8DJ*NFosbY{YNrAg>jvCcD;@Vf3k$P@V3x?JfbX}?pJxgheE`)zwQQrzir_PYCMY<
zsh@u=dAC?QPcHufk&EE%d*}a1lEWC}&KWfQ>|!RST2VB+;dg3if>2U3BN`cIiDG`X
z{csbfGlWu!c<l5v|B(yB;(>&mb~KK(SddzBMdwlM;A2j89R5N3Ks#d#xeC!BNyaih
z_P(u;%8lHJtXPCTgE|Pe!?#ZJ_)`Yt&2;+gbjj#lV4s{j^@?;&@F(>-X_|^4tnZ(n
z0Vi-a6;aH{0RIrxAQF_ufY@-aoB67es((OcV(Z8}ig|$w!|iH2-GZk$cVxmZE$N&|
zZF}7S!Z-*CI_}0niga91I8!Cu^J|)+xZGz4aRDUe6gg#oqt65)HZj*>ftI?oyKrbQ
z+MP~tEm?_9yb}9R_UG(MSeR}jVIldk4K(K6;BV;(@6pD*GrKHwu%`A0UWl&VoBaIH
zwzM>Wp!gxfyp@20y@%EeCNzf{@JJanSPFh;Ms7h6$QHhK<Hnb}b5$P}Fw<4Ps`f7e
zh>k<xKef+1b4MC|C6GEYOs2Sc{KOn}3Fz1*j#)A{MSh2rop{AIyMn4nVWtqAw&kyj
z57xXsuQE3)AArLJ_I^<_jKmG?2^8stBl?cEDt36vYo~STK=v*3Y;!Ps`k(Um<5|;T
zMXQlfI}?Y+7njuoOD4+QkIS3VXutd;n%sF=C2~y(%!%|v?9u(uzs$hLeB50y!U>^Y
zC6X0U4r0t)i73?wNt6auRxdz!kUJqg=dmn#LOK8Fhi(%uU24xt)s6Gj-9`UyGpsIQ
zNNz6IId&kvK0UZ=NZDpW0f37d6uH+wxs}z!$1w7%8Nb}V&D=JE?Z0!*=|*(&OVg(G
zibF-SajJz2R*KDb^^a+u7U}Eha~P=Ll}$kH`qX@gZu7m<&K`Ju?iNWan+8P^zcU#p
zpAHPAx{RpJA>@AgKgYhH?*3exZQAg<*|BcizWVxE9`#XFwZ(thHML5bdEA8cjbmXV
zG-xTZL#rL58>D*Q6X7Q<G2@qIca4!gbwND^Bho3N$DgY}!R@BMG;-EF$mR7v0D?e$
zzc9;jZ;*!5`$ZE~DXMz`ukwyMvou}cc**K6^a$twPLj#JI;a{1>7cicEoK#Yq0u-B
zN8?Ijt<I1z&TyJ{dcAvfQ7TZ2MAxea7_eAT1%7q<q<E2S9;++Z%_kpVm+vO|yF|!Z
z%I1oYb)iXppHVC|saNl4v9$RT@Z}G~dq}3eFkf{i;}ZI}2!U(dKMLmIC@4<d`%!d|
z29xT5eDxVH!Z~!Y#vV!rd|Hs~JFks{co^ZdjmN<}Oj34tQx#V0U<2$?bcw-Y-ref<
zYXLD^Le6dA_e~2|A-@h+rK*qDL6#pRgV}~NMVqxUi|Mo_jJzVt{Og^^?<1fWfUui8
zuJCPES5E71H6t94@-f^9@@Pv%C?BWEHHz^yg3FKU=QaD*fib(%q>phdE=xdRjLd8L
z&TIT08wJPKk3Wj;endWchl8s(!4ze){vZmn3|)`I!5Gnbm(hD3U@tZb&^(A{7%pE3
z;#+iuZ&~GGf-?muK@Q)9S&pv9I7R{N55vO->dy$)<6w?6gl~dD9^IlKgDXDLVHgML
zEk{RzmgHlcUWb{y{s5^X_}^)e1{3s!-(7LXP(RG^M5)I9e0j$OMV;ReLhq&^R7}z#
zPEnpPIB++EHgFrNP6;{whJA$w+%&-m(nM$Sq6Z00V92gr$>462FwamD6N06q*#yT7
zIO)2N!+6Bd9V%3UTX*<R%G`Z?5zL~TGadF84l^MHiX_4v6X|S_Cuv<$w1L7LPcpQJ
z#631!`h?16Q=HbJmXtmOq8(;U2?^~fjPkU}B!7%>UcbV(Mi*pieFxyiK?dbp=A?$w
zjJ9r=UDGC>F`Lz&DO_1Y$I|3TxRETFSoG4H43;nn!h~0&aE@b?(0h(TD);mUTmllH
zPx%<fpU?#7<AmL@G6-S?DwzuOhMqn~L6*%X{BjjCsbDVgD|X6f%a3<Vrq6_Q=LyPj
zmN(VfDI3L?ev(8ui0{yuG9KEFUgZOud<ta`?kfqiGgc4nv9{{HEQ0E^=!YNp9a*d@
z+@3_~MQ<Qei<<-m>z*>H{X939I*OL#V+{-y(V$w4UtR+WBgI(~%`r++l){~eI*%Bq
zr|hz$evsiIBAPq7W-5R}+ja728y#L4oqigO(`161Z1uDm1sT1r?-SyS+bBSB5^u+|
zC}L98&{PY(Zb{s}l(MTF`Ta9N&IoBBLN%Cj9}!cO(2VPFxGPIjOR^^o2}U<|!;ZVp
zW3KN_NLuS4MnReew|x9?y%ZU`c6$zV%CY}TCXmd^X9uO<9q(I%27kVoxk~p0TR?FJ
zw4yR~Nv~=YNYI;>Y=~29);cU3ufzypLphTK`%9)G!(l86pP^mdgE>A|2b`STjj^GM
zdyIm9GRuLI*J&`F;vrLp%)AoUhuJxLXA;{i;_5Ywb3DSS?6x@xZcdp9flKEc+$6XO
zC$kBPXOliofm>W?7!s3!m|Qdshz)0VMcJ@8Y69Q>tv0S8yNw4fvN`py;E@~Y5sq;R
zy@+ldkR3XC5?qP1PG}F+8EYGYXj^U_U2is<19?U&GpkV}tzE)pD=*7x>+)CGT({uz
z{z$=a>ns=g;}4{w%^mUo*+V<Tq?EM$Zf}pCU@O5IWUH=r@cz*UCz?xuupAZfRWolo
zU#HP5g^N#pA-sD;qzOR6D)E&J{O{<z#)bU6hIW;onPNl>Oed4*R9Xq}lf}g4_nT3h
z7zYy!s!@=-R1;@;8pfkLXyz7u0LX4=({x3cF~^wAxV32})=MRDhXP`Ord#oZah2kk
zW%&Y{N6dU;zEyL5fv-tqGY(>U1)rm*h8rYjF?D_dVvmCu;hO=T7AbwF`rW+REgbxW
zc+KB(?0<ICQ)gZ!YBrlcZrO%Nw?n2<C^tiJaU;R%fa{PwR3|gL(hv!y6R6GK(cbHM
zkd81#IRGnVnW#Xu0@h4*#Fct}=2Q2Ep0Y+kjv^dnIr{#K3FQub|HW3wb*r;G(460Y
zAp^gwZ#B>;A>b4g?>?1=t>%FKW=+231~f^G@lYU@<6(W>dpwNC1UnYh*6YkfHkj{e
zJ03{)0bF~FEh@l0n{YL;e{#qbJUE*)y&B!3IFa)ziBSgvGMdr~bB<{s!j(kaS=w-P
z1z9zE$*8#e6!c4;!Zo<0Cwj3e<OQTt7p7TG69eqpRm8{V=p|1e6-BfKk52?77Q)lq
z6m)kHgpm>#u|I;4MJ$Bq#ClIS`=QQeS3~nA>yB0;0JLaA%d|*Z{M{)^Ko=J%MS~z8
zj8T2icRQ7cX_+L#&FdhI>z|lJs=OX1IE(+1qYUE-+(SH@!nMd6%|N^39H$NR3H`+O
ztrN;ZslhhlElAE0pQ?d4iq;_91l@uggz27Mz(hfqQ=~!VD4?ju_$G&1q~DAR2oV7)
zR(7wg7Mjr;fzd2xV^)KRAigDbv#C!@`d2!`5ObCtBNgppwRWD)T$Q;)?BKipz~%nO
zWfR^_aI;oX|86&a)p=1oE8KIUY)0tYwzQ;WWjc(Q&5U|CVU`ogX41y|YdSifUJ{Z=
zg)L8r=m)9lkPt^GC61DGLTDIZxd-4rSdoOtfGaRrE}UvEJ?oUfJ8XgoeWI9t5~$L<
zmnjxF7>rSJp@4+jorSBVc~=r9CB<TiBig-Ef&HDS05xjLIcy|8`Z!AB5g~7R?uJ%(
zcj=5+sJ#m_q5+2d_H>RD<@ZUN+&Gpyc+#4OSt28o0B|KpDo2^I+l{j&3$i=0R5Oi&
z0j5`%55p9)>hV0GCo>&rUpVMn<^2K){)Z#+H%I=(r)1((Auf-UbDqj)$j9^K3TO5_
zu%R-Rg)s;_47A#XenT7WA>sIn{%Jo2PBe3{Zf@(mzNVyt=`^}!Am6YGB#1ihUpA1#
zuNH7wuaGIKix#F+UhDxX>Pt;=L^vnT+3|IJk|tA}=C^1Man~O@Yxcu<ST|ps(9|1k
zRcS%KQWMivm780^MyA#1!ofAvAK(<;8$l_kMtCCqFWLTyQ6~EY5I%8j&K1^z`ROt>
zV`vvTH5UW>o@0mh(3iUp4v`nM$y1Eg9Jo1aGnfzA6c556LW3Z~SrhrLHB>Rrrzy^G
z3}lB$UG2#|`<+3soIr%^SunvUVyb~ZG^_-40fxwx^5-LC{3V8t&1X=aL!1rLuun1j
z^1m6z%8a~QknR)ZI{)S9E?Ul*=?Z3fG70i<054(Sak&kW#Z}u>NZss%(0ZIEaWbRa
zQx=3AdbWtPN)A6jgCwP|7#V8lv-Ld-W+@xx?BPN}U%bFmKY;^DjXvAOd5eb0TpN_+
zwwA)UbMxG=EOfxCU1_;AJ5^<>X4mGZ^atUmspg5o90Y?gM&fNU)MnS?Srn-Xn5tIT
z1(xYAl|Y1X^(jI6jG-`1lWCFaCuP7Os)qjfLp%XQbe-SO<BJi_?T#AU8MGrj;`D3K
z9qv9u3yR;9${%dM*@pUET_1<N(Lg{J`yr~}5)!i|Z5}Rgd~5_9OW<;OyCjW4UmU}n
z_m~BEL!3spWV%tIYa%!(O8U9R;yo=xD@=rZ#Vr-MFdkVc0tHVllypRkAPnH&VMO;Y
za7(dGEQOql;8KN|<+6!CPEV<F#XM0-+%OPyWfMdgsXGgG8E}Kx7Y#*FpJgOD6TrQ{
zX5$o-^&&}|Y$Zim6jtH!7bdB+2y+Jsh*<GTd$u;J(>cU@E*k&xq%5Ri1$|7y43qdT
zIl79IYm}sDK+G#Fxir~U8qLb95RCw>f%?fT7U7#M^~FP`n-RcuWYc|#tV6|S75e<U
zy*&gwG=BKO5-={BT(AD|2dWUkiuoUFp`|v(QI<@wn9(9;8Sq!P*ie%TDX1u$^|yHt
zsL7>V?F*&^$224j0IUP1y#&bqR2ii9st%9L`CBE=i_GTp+K=b80#cGl0Cts3X}b_-
z#1{Mri;me;i^*0;9WW@u-H8^TEeb<b4J{QW!~52igU%9kIm;kmy$;eLjFaw6Tzu{@
zXM$QjL0mAh+-keCu@~WJmInO@(@Q=anJ*mACRndxS0bK*QxglbY*<*cmg#!XzYH_3
z6~I=3a=qaKZo|HFr5NR|w<_O3abF7hEre!{G;=#yOjz&bYgJ=ekv=VLYSM%=+Dssu
z12%-zF?QnS7x}ZN_#&zjb!cCKLxl4Z9IAWQ+AF=6Wl>-m;RL4;Fs8vk&+j4s<dCLM
z*=Yy_Xz?(B?m9>vHdwX2RPE_$VpwA0d;Ew+8sb3|q<Dx@91OSVX6AUP0gRJ)TU8HD
zbij34ii3>AW7nAP%r^GVn#hT~54@N(Ph?OU##xR7NNdkvX-t&RG-7ny)F6p1iO_iv
z$BDAyH<)F4GEvii@XA3lbPWjcXxtRAM%_T!Y%nH~C*SzVFZ%wZA*R7+JM$#xAkR3-
za5TqkDJaXyCtvZgvgH~$g+>r$E3*1YUvv@~k$9*YN_8cG032d?*(Z)kTs{v29S4d+
zrmZv)msaW43SMm|&B|wLGmO(^t8yVkZf?qGHoPD)5+gi^cQyiE4Uyp>{irEGVVRQ)
z@y1dG79(YniI=j{{1RP>a3_y^ME9r()RaU#!3|b9tiBrZKnG;1)E!TgVA@2zSwF+S
z&&Z&}vd*VqIDE|@eQKaj;~-OhCMo*F-UPxQDnL`5ry-sj631|sa)g3B$CGIe{ZVKd
zZqpRc!(^64x7)#Rh=+1y*GYOsW(sEe7Rpm?`uT_dkz|n>evX`e3Wfdo<_QXIEd(Z+
za%@C(g0G7*{dBh+%?n%nqT9fe7+WVx*p_u5t_@UO!y~N$Oqc_dswEGWj+A8us|{Tc
z{XK<VXzy=GUEfsXMg)=ag}v@gIka9=Z7Mr}vltx0mU9U~H@S+aS{N7|YYt;mZCKQQ
zaku(>sOp(@X*61>SJ~+u-7WA6<0&FWUTpCg;%SOm#`HR%FJc}C89hE0C8LqLc`1np
zbhV#@B|4Z^>M1W)-j^`nF_7khKa~^lKIC^YT}iaFK8wWQjJ%~1SBo0omFJWg7kPD^
zR{X1~?3EQC@kVTW8ge}q=CB73UQ^9qk)4SZ9t~)iXPP(OKxshy2)YRo-VU6L_hM%_
z&chgUM~a^Op_@wr4XW7j&d+ApxXObpCww<|PLC$gmtretG6+OiYytg{E5|Kx2)MGH
z37I_UqHPh<$*3GIVwBX1*`NCAap;?E41jZfh!B>!9D{KX$2e*_``~LPgcFKZRr=Y-
zc@RdKvT>Kzm79eD2RC@J>G8*{JMER?uAY3kVa7f&#FrpYkoLno4N~<4AAy{?Kq`(i
zESGTR8Q5Cqvz!E1j%-n-qL@z#fv5l}Es8OVg4|8r+Ym=X6)|)`roZd7rfEU!y_-Ty
z)EQG6j8_ef_Qq5vs%aPwJ8<)}^3r$L)+3o6)%2KEN9~TMUiY*Oi2Uf6z3tEepWwm=
zSx?==KzyxX5j9)AyRGt_{0(Kd=T<YzgTa+654;FAMf<iKi4QlUoUQquD?u+a1E7bx
zTNV>joXw)#SWj_mWTf@bo|p}`_&IoLp66iO4{>TIOGF1J#=(}<JiMag%Fj!lLVM-Z
zBm+onARH|H;RoeZWu2B%KftsO!*Ce?C7073nuF&lrah$HiONz@X|<ekt*i(~w+$8+
z6PGhbI7p*VQyK(F9}fZ+c&1pKx{ecRmcSNVq{)Pa`y6v)?;)8f4k~<S5sN%@2whQz
z#a0=21Z^K>lOT%F7)MijDjZC|Vn4WM<%W}6Ok@1Sq7w>{X=gV9!;0#G(9g<+HN;sn
zfaM8s@!~Avfrh{(&J(JX=|M@c8##rimk=Qtz*wEFrmmy86cS9Bhzw7;Jaf3V667bD
z@-dF<lWgRuLbJ~%8I6;m>`&Fl1e~P{8jPd`-4NEJ0R7rKK0+yGTT7@f%-jHtBjQvn
zVB>&C*Hz%M*qClUf%Y(Yz=>g7hVl$Y7j9z+e?(2Okz4D&?Cc!i^}`SR8}Bo@pt>9V
z@drNv4HcT4kaX>d9-MNoY#>4OJ-w~1$P1V9B!u&tAEQ~!<8MaLWB^;|hsyae0n{F_
z#%4!vA3si#&+l-*%TENJuwC<~z_5=W3zrdWM-=|7JpA2O6BIe2c9Afhq+y)PS<Kee
zne`=1n^D!HY6+L)27laWV|LHSK@diCH3!-Xmq^NFil@=-c?~4qMqk%mP8;Cz^;ATu
z&X8WGp(v=@ZAhs`*Fl&Ynk?cwK^1Sa=k}ioOyM{~+J|~pkfFl#h=b|;+Qz_C{Fc1i
z3QQPEUERAx-O<?LBASp|E%X}a?2HIq(-zrM!40-e>6UJ(&<EyT(@-{WZ&@ck6<RaN
zQP1@%!=m!kP#<Wg$?qBzFLM*o@&|fbEfR#$^cap&oWx>@fK!3eAe17b8a_BqLGxVt
zd3R<76~W6Bxd8`uh>PPlO`}y0V>Hh5X|~&Hjlz69>o*6<q%}!Chfx%?u5n)sQe33d
z3bSm6v)0a&N2d5yP(;(potLM_Z@M4BLx0ol_52szj~)N@>$cx{_3`LfdhM*x<xe_J
zBe*4Zr8CrutjVQwkOpFj;7hYo7u!<MN#Z$9b9PQ<j2E!Sv3^_yJSb-PxFu}rGX{n$
zLmP@LBfp+BbI?o197OV6StI+5wLRnPQ;Q80Ov59-TL88{i?pXby_PzR_@Is=YBqi8
zV~7vw5aOL9QL)?sL`^z6eUTw|>1MjyD4s=;wNt`<D9An#WSD*!*mRbS>jDF#f-aCv
zMdP~8K^5%5XTbrPy8|V+tJ)c=YmEEWgkQ5O*AVJfmUye-Y(rE|8VAu5ZI#jOI{2W{
z-?%2!VhEcX_9b*o)XeKaw-h2OE%KnB8ARCxlIBfz3m~cTnSSFTAY3^5M%iL4Tfyb<
z#&`-SB~aLLQ)Yzo^#IE51;{3Ya(7>InuhaWaH|s`#`$%UURk$S{&-&7HOW_matd$#
zxCe-9+|R;%c@Xw^mE${X51ZyjG>m!QPzl7<g;W;GDh}PvfWFgqNB;2#`i>RIuiRB}
zJZgsOopbh$iLe1OgDc2UHcn>IkY1eE$0$kyc2{D+Z%agCXia%v;vL^m(VvA8q)}jB
zTreDxc;xMyeX;5uq;$6_>GL9tMD~0Vu!CL{V5@~bO_Jd(!k^GQNJEGdgLx1}?A|m^
zELy3FZ>C8Km$s0O2+`}52oyuzg|XVOq0y@6F{toX>;IuFnWY2#hVDgpd-{6MyfLzQ
znKdWD^gOOLYV#mP^p$qrd0dxiZ2C-afc|`cUhAFtXK#DwwGWUJxW@f$91eGhq|D?k
zGDhu>e&?0D#WuVGte{ozZKu=i74)^8&DaZx3tAuehp*qBb_-fx1YtBwvEAB#d-k$>
zbavSB&#bn=EFa@IXSeH@wRDYGZS5Yn2BBc|8k9mBXpjmhp+PF7NAK{(kwwFB6uWCW
zIUSDT0zQ)#MO-GWig`?07IB!gRL66-#iW^N8U7Ux(2yBJ=Mx&zrD{1BoHL1*viVbM
z)QrY#<I+Wn@n@0Y`mKA~J3KzxMd!6g&F9TW=QXCyyZ=1v9+9GtFa4wa-b?>g_v6{&
zo9^-3vt6|F=n=nV_sBmx{H^=ZKRIz#e2RWlEAMv?{I{>qKECaBPd^?Wopn$B4y+4_
z29ME?=;uf7R=w`&Z{5?6r`><N?e@-;HcI_sJwrFQN$L>Y0_wVx46&|W#ABghh$;>z
zIGN=%IAqyyQStqGt$TX<@m;swJ>37O4~mOGNd>PI98jwmm|k2CijlAwm|4LS<9~^R
zC?78}d?r&L-yHVd_-CD$j&AHK<#_Y@heyBpuMhW2Ac`900Ht`pJ@S9^4`2K3*IftL
zf_mk^*_<ec?5b2D2S=}tj^7=9?4F(;pSlD=FPE(A;lV5o^V>z3*Ev2q>;CiX<Ka=S
z+ffu)X_a!kPfm}|jyuP%%V0X{lmk6`-6Mz`b?H=UpB}&J9ytIP)LRO83EqV@m+IhM
z*MC(FoYpD_-07a49Uf5A+Ii_8z393oi?dca;N#Q77l);D+NvQ1@N68WLo^N2#bi(@
z`d_=9Gv@%T8VhL9j(^nYzJBe5XI5BfejoT}{_EnI&59)z_VFA?2^`=Kvz$2Ri&&A9
z?$Q3?(Tid$A}W+4{pPUOJ3M;v@x(v%-*nHqE)C+SLtPXB6TB4ptH@DN4Xe`{iwe>p
zhZ6uHfx|-ld9B$Jj{qH`D|)H;Nt)!zAc+p+j3_${O~l>e^cS<`>aF7H65`9Vvy&c5
z@$a(`77euoA-z(Zr*b`60QY*s1(18}j&BJbo||<Clx~s$Wm=FmCIM6dA)NzX6H(u0
zIAw0n3iO<j$o4`kDYB#XaF7|^zWWX6tGY_nq&0`XCaU&uI=>HHGid+7D69L8)wH#V
zuqNsr!~Xs^VKxc!!FUDozCC@-PFC>K4Mb%JY+EZR2f9iKm%c)8--P0ZxveI-gEDKP
zc?YL?cmc6Gdtc8AbZ25ckg#C)?FbK1ALrK?Q}W|1&%O!09X?Yv%?l{AJl$y)oEio0
zfcHKg9vvKie0%yD2*_8IhuqC*vIXU4l8#z9-hSI_4U<9EdWZWh9um+m_+uxDb9}?@
zT6Qy;*0_g(rCq@ZKzx%6OWQyh#^}6;ekvT_w_vvs<Sf8z2Z5Gnw3GH?o%?Mp61FQa
z;2rL7<HLQKZbl(J&m(|-lbPj=v8(A_NR%}Zou<=HFkBC`0=2<F1T>{Y><Op7mGp-l
zeNl>o;Vqid?!E~h^mwA00XBiwM0xts{evJ6q7~>KLu<G(E@Wqpa-2@WI1uj|3D5-r
zPGiw;LTfcftfsU{khRizJvzlf^#`F`>@?e=<lc~4p`Pz4+flg!#hIfd_GHqXlk9zp
z-+;nKE~c8i4hpP^wj^Tf1n~ez(MqIcWJK3Nh6WrCKO9El*>6H%JvmiPUz-ZclUFQ;
z<dbPsr#rc`2KU)AdLgu+1zW8D#O{gao}Fg)zW<^(zWe0C5S)zs4X4C1t`^2M(400e
zMi}t}Pn>u9eg#%o(wP65(j%+Wd(YEk9u6H_(2Yx+l#PxmjHdJvVDF<=Mm4TKwQuau
z5hEN#pT7TcUX#$^#s{IX&uhSp`{1`c4y$*%{J<9->fP6#+U7c#+13!LJwpaOU7ESr
zTXdn(;};Z#{WM5#8`Ae|AVE!ZhxWwGF=)irj)N=<M=@NZ+o%TT*uz?)wOmtvdA;S-
zCTCIBN#dBkCaj$%S2$iyqrmh&d)*^t3=G(aKEV1WM!~tRRc#xJNU;e@-y>DvpmoTg
zJp^hmo)jo1$R;TM4hL83q4qTnt{wuV-*x?0OHx@7VNDdKVeabrdTDj})11QkCiK;}
zo>Y_89{rlg%JltVJP)F96=yx9ExE};;<(}0C#tdeq?)RZ!LNy|Z{w>txn9M-1u>e@
z#@6}CZ$MIQGfOo=)nQwdELxx7bZxfiri4~OMW8l=<yv2|;5aI&Fr2A$8yQC}6-seZ
z*aB5pRfXrscUpk#Iw}M!Z)dePYuK%;2ji}%LUN^8EHI8r8g;GNC#k8;LRQ~eE4P}N
zHO$sV;=<WpucJb6M$8rrS1lDvp{Hy?DymrstwP$1>lQ+k-cC6*QBQ^B-Y{YTa#piv
zO*!Z7Iu6chhOmfnY9(9Z%dxQQXcDN}4O{k<QfNgZN+=~W;Vhw(0!)xNmhxWAl;UNE
z54#S<(^#NA^I$}Kbzr6K9SgZ1c8hF8DI{YF{==@zI+WvLtTGZr9BRK5hI9Gs!)~#C
zD21jjOnlh2RQe)qbu`@Sx)hGJ4eG<Ld%l)JG4j$Mc3pO15eQP!>?u^*-Wj8R*e%qu
z%K%eIQ>;3d0Z1Y(6PVDPrGWJO^oL!CHLGqfiEP@*(zb@@{bARoP8Wip%wm_7Y@Ek;
z(&v_!^5Hau<G)ae-jlMWdD`d;5_#zu4rX735k7)%Q5fSRc++kJ4U%X!iTN+M6RQC!
zIe^JLV3ufCyzyqUSr;cel1Vqt(-3F;(Fo_tmGf}smf<KN0F+5Et=H-G&wGDE@9AaI
zP?O$-{b6fMJ=DraB%i?0<WDh1`A8Y8e5j3Di7{aK%<I?I2?XVb*hPCfZoz>F=NkQ#
zbAU>97KrRAch;aEez0qVvD@Nl;Spte2X17BDx8I8tM?{+^>TR3TE_TVg(a?CVEI(@
z76G-HYO~FD7fFih6w~)t_?F$d{sAQyJk^VtAgNT{vbrLTKNz>9-)W-Csb3VhL3xjJ
zGF|TUl5+Uy$bZw_Mdvj<YhL3%4u|3-lX1jpM-;Hu{2Gim{y#sq|8>^w?V?|Ho<Cmd
zFcH1Y^GDQ;K~UhT#Wc7j^z7f}7_Jl!P&>%*&woW2Dh*k}qDdM;V|MW)Y2ZU^--1D#
z$`<_c#j`PXLzh+YO)!~8(3ZsC39Vj#|Lk!C?L68cAHOuv&d$z<Emo)1BDw&b*Lp90
z%la>V**mY1l9oLe1vG)Xxir|%lR%a>Q#_mvaJ?Q31`T+@F{qtjFhD=;p&q3RQD>cT
z0Q05}bsFfrc3y-1=0uzr&Ck*x&MuO4LSJflfb+o^UO@X22XNOWdjm;=rcn^aaPdcz
zQYXB)-G*bZyw2?uTl^RUn9Ks4$v1^LxWQY&Io~WKq*t!!#wkWu_?BK+4wHx8w#^n=
zn?-D6P|p%}Ci;Tl#BTy>vQnLYU*s>sOPS|AukFG_KCfM2JlzhWaE|HR(5vS-&bR3`
z6{N{|?XS-Zs}TZHxaT!xD@f}yOJWZV#zC6ld~cRtZ2w}x7{bBTT_pd`Yj2XcfgV3Y
z{xn68A3c7A9{s%g_?O+Me?>3eoLLZX9*j%~?^@^Q=d~w~w*U3=x5x3@7jK{MJjTiX
z{P3qV`StO?evhB_d{V;#cC$TAu5pTo+x=TUr0&f$g(IJ`>RrK<Fge9}!{>!^RW6wd
zsX7&mMQVO<eU_&0AAQj6l(p0s3<mF6O`@3L>&^#zB@W5C84L!x>ZXQ)VN8|K9(vzw
zasd;@VT%LSTEH#bT5~?%*;pIsi&z|FILM~@<QBK!i}x%HlF2lIyN=lnhT-6f{Gz4u
z@_%a{vl_=z9fX4`2zAw3Fe?#yMgFOEl&kgJ6P}n{vs|CNlt>JXJ@kdl5h7VTM6dP9
zx5wn$fP8yGuR<Wr2nuzsI^IJY)_}gSN15slh=l^GfhD6hRW`G@q=?m1oW|xw809#v
zvyxYs-ql4aH^X=k&4xHr%G8!_-CyT|OQe=Iq(2)(KDW5YI2^$&!gyMrgi#b`c#y<H
zYb36_bIdz)GMuxZqh5zHanV%+X|VZJ(XpW~T9XEGoF>=)MJ^&44L{~t3p4|`#Lh7e
z))&2BLh+<b5>R@zZ*$xWKV!}<Jq)1_scl7jh85&ZyrLHEDCsl5l6<YdR|`KFli6(8
z%)-yujd_^$f(fQ+llm-;b{c4wMvqP0p?rrswx_S5>Q<9J_w1^V^{S7JsvJ)ac5jcj
zEAdokc^GBZ+Cq8O`hVHE{}%hd&9+P|p38RS<*J}s**XU6ixo7XyGoca?3UrCt58|R
z4!FdX;Hc-UwjXE>o6T0U>8SO^5ORq*ZIO+G6b~u3>gw1$NEwg(>9m*AO*6__f4xk|
zo&NZ}@$<a)_UQ2F@a)ikefV#Fp!5+vPHB{Qi^1cG7=F-mhXPX{F9(TZ^;iS61V;OZ
zJp<Ge3Q8}a=R@_@a7fg6RCH2Q-HA*p(>sV<Yn7U-1M7zwgRFPe)Hq<SIYQ_34Tx3|
z%|Pp=%q61wojK1sDn!CQ1}3lq+$2K_5M!qU#6?4_OA4mW;!Y#(wH9FstY#ALhZ$?G
zy~_lu3`H4#&fYpX4m0hlLdT`$RMX0}<A7bl8fMKH-{kxzH%&1#%PtC0`$Np@W#F4^
zdEdF$Zvjec62SkM{%2hn748agDZqhW{^VBX^-tnjV%N!pgkEXM&n2+Y@+$%jE6wrH
zuM2b_Enf*L#6fpCmKuQpr0H1uFT!D!?#^rGRnGEOEJt6;S9uS<W2lRgW1!uNY__Nt
z7Mg=o?#gx#vxF6D#<HLz!C;p0<1cmn;}0aC%#(149-+VUFT46x+p7t~eL7rlO!bce
z-$J7DO6`->aCZ1HxZm*p6td3#**e^1nHuP0zkxmu6sWBh^5OC-V(!F6yy6XA@Y=2n
zWqC5q_<eaS22PV}(k9H&jC4$hlZM*63MungE0tx+Bb#md^?Hl*S|Gom{Z*Y8Pepow
z_E7y}U&tNx1q?*`MTqp9;wDzL{-CJ-pg9Pls7@GTrRtq0*ai{gJlJLLe5Ym~UnD73
zt|w>NQH>I1ZViBS=*vRM;mR>eM)mWWbTHtRzeGgTt@aiw%QB@8ObN=FQX(Brrj#&|
zG9}>g`9hRLLVSekSX>I^3^rG2G8_+`en)m4f{~L1wG<t^xxUC9+I8uvl`a{Ue^Oi=
z&K9!C_XQcijTh?3KNi%-$_slWRf-WpF2CITGtA85VkPeTHQ$#f@icX~`loug#cqiD
z$8Hw4mOOPRWqsZi7Zuqq^^YgR3ap{}SJG4YBvSv1#9<9AQzM~je(CzI$8Z-Lxf4y_
zHO#CUCs!GC5lBH+W6#XxRZv`!C20RQq=$&s;%2F=S(l(YED;|&z8PRV#6$G`mx?a$
z==!A<v+%zHiBYYw&Fc~^K25URc$u54Yy15x)ml_bEtF|e<852&-N42hT9nNp7Of#C
zz>ZOeahTJ&KSZ}UH!S^v_{;Re*F&DZ@mcx_t6{GC2wx9(X`f*md<EVtr?qDElmJ0u
z3fEto?j9-&7SzlPJAk6;f)!nW2<LGBdOVxDRXV9a`b*u#+`u!`UW>P|R@!;ds~Te{
z&m2JpEv>t>!Qw`Fbz|&MbY;eO0i$a`G|eU_?!FZ$68e4}!YYzp7z4}K-WoB4n2^`X
z>$MxGKg(T}SdgS{aj@ryNg^S;h4d)(ZtvldDCt?tkF+`FqV38ivc!WmCSuWCfhoP^
z7F>8A17G;06)U*F6@;}4`vAoA(<;)*TU-Yjedpx>hjV)E|My>*`n{WEpKSST@Z*7I
z30z5_@VeN@RFCPrHVJ9=r@;7C8@mM-8Ws^_6^z?OFA>N)C1@_c%tbCOSu40zXI`pS
zTi0_EW~p9QJRh@EAI?)V6({McI#}R*UCG(4D(Dp_y1tluvKC!J)|V>Z;XdtXsin$`
zFdpG_nuamF9pn86DY)d{ILK_;)Ls7BcNVxNp5yekURR!h>a;4pfApc5jf2Nee+E6N
z6tTxf3X1J%!TDfJHyXZ8qXxtw<?El|63WpW#utfE3eYHTEvJxeB@425xPMCT<2k`8
zs4I9g0$pt6%cN6L1jkMDAdEBf?VU=UUG(18n(%gpQ+|U|qr5^pN(NUD#TXSoG#q+~
z{28Pu8gUY{ZKbEoRw%9-<wSi*UnlP}j1)%3Zgph+=%kWkXpV5+Q>t>nO?Lm$;jn?e
zpftGN@1D}Pn%coKPeZC*7NjE)59!Wp{0awWh=iQP(mGIzi8wp#IdaW7`Z6*Dwpybs
zy#mk*CTM9kMVE4XU8FsoehL5MCqCGHRGb|JEecX8{S*gR)!_q@jN&(&6f(*hT#*^9
ze=58<1znHBNL*e<ypiv}a7AM;ar3{$DN;N<d6~$H1Jo?AbBMf)Z#PJKhsTNo6z1PK
zI0E_`42&mO790@wb>GSiiZTwaSVSu2UKp!+7o~_OkOEs~=?;gYwv2+|8yA=iqP}No
zM9dxM$OjTxyg#q?h5h=VdD8N0;f9}7uE9{t;&cr>S5tl(V$a$apPGjkobCI`@Ro$=
zY-<3k``$cw@L}=rTWnIc4=TVL%m0q*bdUl;QdHk^guJ^})g0gC^(`xcT1FVqq5@$B
z@C7nam2+ih6_cw5O7SpESujgqNyh)5;hVex$7EoiE<K>ghwbEC%HP-Tatd^V?C`vj
zE5}0xJ-d+MTT}o8unS>C_G2<c2V0Wit>ZBhN~6To6A;BGS5AIg3d|AFIGqLkdNv8h
zdNn8i<18yQ4ycIu{I8S={I8H1dW8a}@V^4)@IN<`_+J6D_@A3;{O`{3ylUBqFj#V+
zWD}CCR1Q!ib;v|=tL%#~4x-3X+YeRW$c2fbq>UM5TS*)CqP(iiz$6*sh+n|5@bw>6
ziH6EcL5ePesRCSfMNIJ(A5~DxFa9XG(5MP<#WhD?(E1M>SR2J<28X}Cwq@2)+gsTi
zM|-o5J|=$FwE-un8un42hIXiB*(8&3kVt(GW_^Tnf0mCs;~<J~Ji_2~O_L0so{@+O
zo^YK8Hx?hpIZo*<^a8((nH8AgXU1Bfwb~Kk99<hEQHo-N+N{X%BEjrA@NZ^$kmlLD
zFdx_XD=fhOGSrjYnc$p!^-ucSo8W-EqdWBd7spfU?duxWCV@AJve_5<{)_pj99iu=
z)k5-8hPY#b*9&?#C4_k}=3LU6o1(+onDbX_L%qsa-5fB>L_}gjY?{04khQ1BS7z8Q
z607}kZ_jzHVfJSuWW`2ep+6Ylx{-7=Y1O2Gl#^W!GtK6Aq3<RS>K3>)=d}(Co6gvI
zZC4QF@_kI_cB|nK9qrtsOV>0M=T<dK^-oprwnE$JMfa?57OUudSd`^1H31BPEgu%A
zbI4pR!e&btVNa(k4oW7IARYo6w6{1rSP-P6*#yUVG5gPJaS{)Jts)>LUT_m07m5Ub
zmDMh)^OKXJ`HZLuc7(D5z%~i$01AuM1rQ_JTRc>!iD(j%i+d*M!uNup%XV#3(C#52
zi0ug&Q_Rt7bD_u{1HBE`ufCcvEAm5+7hS=7v#4ucD9)#A&|bD5;*ie?&c_J|`pI$c
z%qidxN4p^wKJJ>^I)P>;yBFa9+I1lzqT5ASNqDHV1cL#d=JLH46c1f??0cvX+&w`E
z%rE3?y51OX(5N&I(QG#1k^)Uc8?F^R1Z*d~ax#_{GpQ-5kzAD&%7jNrC7REutZ;^J
z+$)W=5=~|n7SGbiS^B{eN#!@sLot`F@T8o6`pu9K;tE+uBbJv1_HKLwTL8T4zEQ1s
zAdb`rafD6VYp8hJPlSUo3v4G*4fKDr693IgII|KB^u^e}tfc|IQl{c-<R>8EOzh7|
zil;$}d*LW1GlfT*2V{DNpS9=r%TKH?9pOZK)6u=vA+z7s^XjC8P1{W)Z}-Tsw+og?
zQ!FJuf3kFiE|T|7RuDR@o}^I1q@_ImRRY-&&bO8RR*q$J;lmSEQ|7$c@vBp?$^zMM
z7t@hh;b2d}Q3UgxR&h(W^ox`B-?>^U&nkO9uf1U#i8D%Jq%pmqf4<nPzU=u9?YRWh
z65?z&B?bu(2}^@~mSR5|C25$CCz%_>`}3M;w4L!*+d(u+vh&&pdiQO>f%GulK55GL
zAibUD$u3eWzCW+g#{lfS_Q4RBagdFz7UW?;{b?{9hVjU1!k#-?-EG;^d`d-rKN-O6
zI^`?y)f2rWw09`z|Je9m6U;`r#91n00iChQJb=rOSTGqtjf>k!5ed<TTfB;)9$9DB
z8V-X38%GU&=&l9HyrRSHmcFV8^pLKXR<ZDFx9%xk)xHbewsGrTXp0vy>BD5OO_U&+
zx=vxD>1tA?IGH1rXekh(NH^*?P)NiTfVh#Tz*Q|$t&SE@9BXtoELmC5)hKFL<!IRL
z#FNTCbtglLd8L0LYJzuRp-?dq3AGgv;tZE{&q+hpDw&kO;WWIsU21BU*ke~<{hw=)
z3o$F6`US`ecDV3)V7A;DRWD`CrSukM^&3S3x^#-SclhGyK56~}JpP;T|GEi(5S-N$
z{U8N@<^(?x!?h>&H<5H+?B3j!H_VmieMdN_UZ^~zNX?ym+vy&|u*qJ);m*XG`*{|3
zyqS4j(d$;KqCHfnVEARDdLDItUNfZY@5rn_>r-o0-!ZE08db{@ijLsKJ?G^6whN@b
zQ9eh{{Ij<`hpt{!XTX!D%4+f5VUUDo0YcnIw@|#-rCo|NfROFAtAYDom8~v5iizB!
zRLWZV-XYlvoMx*w4dG-hF>1T2D1!Rt4aM$r`>xwt_?c0DQwoKzTcaSut~F!h$QOTe
zg}OVILv?PW<AwGv6<#7%rT7DPu!a8kLuX@izkA@neSJn>V|I9S);-nVP$(g~e8pmT
z;{A31c-!rrxvol9iAC(Ln@F%kr;gu|%2SJ7k;Q)skwAgC$)s2`rM3ISA#I{)lC7c_
zMfHQh)hJD7@sKN%4~<$JOmJ4)eP7GRVODF@Kvi{;A+9xQ6jM@bLZM`}-J0ilUElW`
z9pCRX-unLA#v9*%)9Ctsw{h(I$MDVT`kkk3`tZ>A4`~TheC7MEXger?X8`Mk@4pa@
zqkXe@*7p4w0|^iQ;rsuf-(=tLlY9^upZ6(DfFZGf55VG`@4pj0KI<rT0FLaNL!7oH
zMDqKLHh~W)ARnY)NE-`!h+Zz+v}+FW$m|rrXq{fRO;SK@(Vy~6H0cOTUYaBV(#zok
z1b7DDpbB(nR1stJ2_lCSpw52J_upN<B%S&u=M9=0;~Dt=z!(LsEUWZ<zb9FBpg<Vy
z`~HY=`gY&<Z}$Zm<}a0cVaNAFM&Iib-@iVQ^?HD`^5OGu3ILEdXdd`}00pE<-Z2`}
z+VCOBM+$b@6a;(-Id4-UYBMKpH~!`O|B{0inBJ6?klx7Ge^QX}!9nJ00SQb|M0pJ$
zHEK-n3z8IjFfjqHHo?>OCVJcyT|mY-$j@s5sZnFT7LZVpgDh>hFi35tr)vQzH58q3
zYXG?cA=&^fH-P1OK^pTF`#x5Mer*B)C0X0|GsP)^vd$(3xI}liZQs9b%kg!pz%Ifh
zFsK~lP9>&`fZTvJ*#O85sJQhoXbFi}2lJNbZXMHW1B_i_1YfT^LtSZ{y4jq2u>oH|
z)3i_40y1p-ekdo(v$X&nwS9jifj(Ue&<zYeY5RU6@f@$FCB6nluiCzUC4oL)3($2;
z!NO^#0iSMUnth{*y#aHzUMvl|h}s^FQlZBU1V8H?#O5aG2Jl=jH5Zvl1zJW6nx<_!
zC+zNaDoZA9-=8q6N=64rcEG5Sul<FHsy)mr`&<kgZsX@}Y<k}&nXq163eYx?UD|+8
zvW_qvN-F)hO%VkucBS1|1IP^s*akp;J=QHUDId3e|FP6)^R?*uM{VDKB!TAl1=?G{
zv~GY?8*n)`pb9pC<pw~mmpz6+Xj5v;1Y#rM(7Iit-U3dCVus1%)_n)E2=UgdosAwf
z;Q61*HP%$mdNM%kB{hItZ_wUbAo08b2Vn!;+W^RQD})W;xybC(6wi7b=?#GVdal!^
zCi^;wvcw3!a(7>kKZZ<eZq<BqGQHl3xhatAmD}C|&iA@q6ac!Bl<r1=Zo~*|AXNBM
zu&K9zOAK(jYxS8nLYuEY6P=Ej_Asr?`#DQw)(=2x?s~iykeXxpY%L(ykqX`Dz!#C1
z_4c>{QZM2K{8t1Yz6kafNDOR5O>V#k+DP`tIX&+O^4<DVZR?Hx0ptdfGf=U+RujGf
z_N?2v*%Z$=0CF9{oB{IxY?f#P?Abtg@MoDn>t#@Hfp}xR`meV@LRH&Vv*ON1gKXN!
z?wt?mEs#~bZu|bV<o@)&adB^f0BF6!u>tOH3QLUx>oKSsaiTUb^!0+2QYH_I`F`ir
zlP8vpLs{?>zJa3e@FQu;DZUOrSq3t+uXxz<1R2!%dEfVc-j^^){rLf)LcX4O#__B2
z4_`l_C68Ol$Ur*{_k^7ll;aRugW?E>y7Y;+ugsE;IFF_efK5(GDEKK4)QO7p_!>d^
zjG_$a$g_Le$;V3zto&v)(df@Nau(Kx@fyf>>?4N)?eRX9AK&l%lcFvC9Z3xrN&<p4
z@I^UZ$YM!iK!NAcBgSHhoIHC7Kj8za7zL8T@?a{*KR?g~>2wk4-0(*sWq|p{c~D?E
zjGAw}i}n>lNwz^_UT4}-BoJJ(j(#>%n<_140A1&13ma=<@{|giqB#IXsKb0McnaOf
z9*hZMwUK=1sHQJXROL4b-0|Vj^T7g3PqCTRz)0;KbD>9+{8p@y;e+khHcsctZ<2{}
zZU{{W>^xXRuGaHWD4mQaQa%sGA!1EFr>cAco!B~r<U2HyXOe~f+gGGkQU;npZ7CpH
z$o8DE%VoFVL)kEI!jP4ql+}a>g*AmlDo6@jZz5hGi>*VaYF_)$l}P8I4E?!#=*G;D
z?W7(Qev3!-ptP0}VPny&)iDH|x){Rhw7ECwa+}~oms6=2JnCdHvT?Kcxy_$&EpyW@
zV1iDRHVwGsh&4WsI~-3*90N~-1ApE3{lD%jL-?iR`@a<4wDA1bB?zIl%sYy@U@$Cp
zNP91u?c0^5`V-xF)caEhuer!Oly2nf1vOSK8>GdUPuX<^%MNtP+Sy3lv}M<xlKftv
z2V15t_tnvQ)J;`*<IzY~gy%&P_0-I!>&5+I8@6FTX#vj=FqNi4emmw~pGQSVS{g(7
zi6$PsOv8u;L{zG9Q?o_SRG-K-=M1f6m^6*lJC+-6dr<!@_8|Zu$dh3SWKS-|EBk=9
zT5qlHB8*z&$5QN;u@(GuJ>wz}ca@MpMuL(GMN^P8zUe59MF*Y|7)tC!s#F(~OI1vy
z@s@m(ADZ@y-H};of6~x;R4GdHXY?YBUt7^wMy#Y!;*uSo@%>Jpq9b8TB;?SbG4CZ-
z^`fR!TJ2)6E@l~s`F<zunC;|PWV9zItrR(F=V=qyw6P)F?9;|f-%2E9tZk?z1Eism
z4ZY6^^SMj)w=ut=j?10m=zZQ-2FP%fLj**buOWM145Pez&oSFBMWhVUgVeo^yzI;+
zp1K#wq`uJH8<Jt@g;ye_0N={#y#PxzzU&-&y27K4U8IyAw2LQ;G3%ylj@^Z;R3;qF
ze1DzDN%$Ia^RDR(nPib{m1rA*MOUUInWRXIeJC?VtV|{Yq0A@#vL<GLDp&4#TXot?
zEkw=(C<61cZNt=Y_vp&D5&)QhZ9jPK>OzJByxOHxm9q|AO4c=>?B2(!{nAQ4w^y)G
zhWv1vXrY??aN4TH@Qyl*d)#*G*lq5l5${OH-bDl{wk{%Q0?dbQ_>rZ8?-0aiZhxT^
z5s$_?OLebxIxqHH$<N=sLU*rQ<o!vd{7&3U=W^C;%|9-2_T}L9SctXTTx3%i$^fCH
za(%_z)w#8fVR*e#acgXBsrNL>A;UM<Du5(|0Z=DR*SV@uikwHaqRiMVkCKMN^L-}{
zQa}rE_-s)`Hd&(k9jkl8kAVV%!$8TT<NJwIq3<hlpe9XShML>5*1j?|q`zuAs83be
zi$Qrb6C#!f7m?kiJ`6#ZGZ6$`hMKOZSXge-_Oh!aI@zv0n}$0byH-c4em4Y3JBbRX
z?-Qnm)%pNM7wml{Y5*XN%R=h*%hGV{eoCoLrE-OGsj&E1;sXv(6(`LEJ>91sukUv*
zDDeSBYv8>8XEhpgh`vXyzF61s;I30wen?VTOfm?`n2#cgDFm5@2ApK4E|E}JDmt8Y
z6)a>t!%5Fq$z>OEgi;CUJ}IMz%W^^!)suq<GDv_ABLLFjc9of-6T}G%8ml22JTUgH
zKJ8YyV_iNB=e(3dbFMjg)E*j(UWdA;Br0|kag)noHifw~b%h7WLEKobzdlC^<~wb(
zScYrxA-!4ISk5H*Q@42p=+1#QTXi*~dj&TgGgh^m{?hjSU!)%T?4FofF87H5W9kNv
zS_(VU>va9)Dr`qrBpSz_s-%?sm9=j>zJIIw1X@2&yGB1AMA_O(<iCr>4!C1%&EesN
zy0&CbrFp@+tlG+{F;xH5z{d9F^LAmzTL>fb0i^wAS4Ie8dDJ+8tZ{UQ(i~EXNsT9@
z*rPFuwDFaT@@g*2q;mP9yqps3Vr8LSUMN#vm?cIVCkG_27TX8FIU?7{rNbnruoOsT
zR**Jn*BtH}J)V;-9rIX6<w-{(K-nVY!hq0`I(C6gR+f5|=ox;zT%wU?nhQfqO<YS2
zTxvi)#s4$tD#!l-*Sen_I(_`L5B&kIbw70vU1}$z&tu=Y);-==hAv}Erk$Xr#7Bst
zN0YE(&U?!Cc0Mhlc7^X}0JrCSi{;;>;gSFg0?(EUPRR-we25h=kM7u(gydtrG_M<0
zdQsBi9?dI4RaImPD}QE{Wtu^i9|z&}UGURxiQ27D$o%)e70o0k5AR|4pzzZit5b!8
zAR(NC&)Z6f%TZC4wASC$JV&aQ7^Km{hW>+t=pv6J@bTypezBAbq{NEIa|>}Tx{Ws6
z&^0i4Cc`KhC%|lmZ?^iGc9q!2_d7=(r~+v(0ID<tazb=`duyRo&r<8U3g8=H#K%29
zP=wboIFI*z|FN+jIzA8z`?cvJLvy1?!`QvC9OJwrV^d1wLNFTfpS6Vuy;LB2-A<l$
z4h$e3=w7HLZ44(tY`wWe;tTyUho1ww>6rD6$Whq~=uyLF)K>t~7VNZ!=wS^lWD*YQ
zvuizg{i#)7Ri~!m^=OX9XrX{~29MM3{aeUyP+ttnqkEN%+Hw*?ZDmLv^{wtnqssbF
z*411a`c0~pj<5MoK4?H<j9Fmr`JIcj4Y09`5KQ)^jsU3K^_j8~<!(WE;L$tbq3o}1
z-~Ve{!RCb;VDGS6qmJ*7I%X~Ssnw4el^839a?xu&Q^)LeJ4bAWYSHRY;i48N=50m6
zNEe0;Qevk(@aPT%qXoMqU$#&l0Ew&?)qOZo`?>A=Kda4@2S5+2BgPfkLU}-1Jh56_
zb$tJ-qqI;ScvQ6;Eq-eI{!eNj$^+8k(rTf4-!82%U)S&zP2f}wtu+jv<)38><pGe`
zYQZLfY@s~xs5QKIi)zL@NnG7*c~M?|x~yqlF2H>#>xvi#RBKN}i3O@PqMLIu_29g2
z=SlmFs?y)vzW;k$fhCY*`plK5HxK1?6!%_Ml^D=$r{TK6H=!KqGufGV<|$b?M`LJX
zi-JejfuxH@bS<+Z410UX)3PB;GvHA#;F}HESBA`9v&UQI1w&>YfIZ~AWXMd9@F72c
zAVW6h-c7-fSrXYE^1Niozwi70?=p#cdGIiXY#5u*1w&@SU=R68$&i2U`2Nqzs%Q6M
z4B1e8&&(mSY!P$+q3c=K_h-s!0T$7*D8#19O$k+)Ljd26Bjou55embY>=+a}VM4*C
zi#_~jCBrwC!p9FpC=4H>wN7pK%f9dbBB%b&1L5+5+HNJAcD3*OS8~YD9|)Hhv}r8r
zw1>R&=hJpZSnzb6HjTj+Lw+D;d_kMG(p;W&e19Uj+<G8GuA0ki&!vPS^BN+B>d`fH
zs3S+ArZQx5MjPN0`J&yyYK9S@!#Hh};(e0>qKT(0F34i7^<~H2fniLEn|<Ykn|jP#
z4p$P-c*eVV(zUyh7{LdOObzxm8nzZhLI|E?T&@oFw7BSQyrJ%7npW%XQths%uMvFf
zsbf1kMk}#msOLtXS;xLik$mG@uS1tqRlWgifS^c&v2j9vgZ{cA2UreTqh{PyXs_vq
zr){h`z4pX?TA~xpx2!x6ow%S&$EKt`<mZ1r%V*^0F1u^=Z_L-9K9C_-MRWHt_77CB
ztBn19Tsreovj;Nd1zkE&n)ZOle?A@?i;r_-z=5yjSYOE95CX14VgN%r6FenMzh7-O
z0iiaHuK?k$ySBO$k_xCtb+fZJV-D1&J|$CY&e}}jE85Cavh-$c77Idc>f3lqZrZHP
z6h73Z>eEvev&`DeX@=UAMIN=kYoN(;+)-&lWeS9_025|Epf<(IqtSaM=Os<@g4)aB
zy&QLzqhO&_b<|nT);=6(+&sFc0${s*JSZ?i8d!0Bol|h9L6pT~+qP}nwrxBABoj?+
z+qP{@Y+Dl>6C0b|t$o<qs(t;cAHM3Y>biaIx#yR{z~Tey?+@;CN)ttIg5RWm;zy$+
z`WC1%I%au}VTn(+Sr48QQJ@m9vMqfWW7!z;wMVV_g&#FN38IVG>ejD#w>Q7py2n`%
zA;}5R?<j&DS6dH@e<?hcA9En(W15AvoP#TbJo6KX>*gCyP#rW0Vw7D_vnQ&ur9PqN
zxH@(YOq$=z@-FXi2KIQ`3uo<7OpZK=j9wJm3^t=A!;zXef;(zsDveIfH@7zIt1Z4E
z%AM=5w~>Ozp*xb-EN=(Ys&UeI<@uZP{B1%W62H%?Ep&_KGxmy*unHQUS&`qIFl_%8
zDj-Jf^{F$*P_vsm2H)--GVbaj->Y(;LcEX?Ed{TpA8(vz++JH7Vh^Pp4vTl?GKVm{
z?tR%*=Qb!|pgl(hObJf2oRoYDi@A<p!<Q<^>rQmW`0sV-yabGSfra<pCN@HhmGfw}
z??M@x8y#?(K_xTuVR}ii&8M~Q)}esRxUFd@57sp`G*>w(hpQ)>Z37227sq1Ef}Bls
z^fI<lG1r5zr%P5jH+^v*<0dxi3|RndG_kGHISSfOmP*ToZkst57E{W`OAK=5sidC$
zRlX#Nigx41Kq*ZztC+CjtmlIX@VcPiuflvNRE-|^ksCv<&RMlrw$Nf=zrXJ459NkN
z@gvT^H&q*#M(ipz3Rc8a;v5E4O(!r9SzX;QDz3w<uIIO!m<dE#H&OSScvvcwcC`yu
z7AVHwh=fe76G9$5opgfIhiCOEGIUG;Ve=qj%CaMZ4T)2CS!{5jelUXK6=h<K3{2lN
zT*fw5vWn|47a*kixR_YV=krC(Ax6>L)eu-QHk{{Qv{b;AlZUPWx4&0b$T9?vZzFER
z_=o3Hx6%ZH#ngEh@wLyKsHHRO{aTH12S#ZH+;GK}H&sc1xMhD`M2Sn}ueWG84-7YV
zzTKd28|Rg7pYas91F!*}ALL;+cGs0B?|k9Khn@b#j33EJW_2!f=LQnMA41wZu3SX9
zt-m!CTne1|uT&H&M8(QhVDrqLMPScYD@4HEOnH5_uHV0|dJ9F}_~dM@7oU#njo_z-
zQ#2)R3?mJRfgnxf(&gm%yu`|yan%#K%A0k&7bx63S6hDRa9_%fUNzL=NrSBB^SW?!
zt|6lDmEF0hDR$8eK4CUjNvlJM(4QgW%tr4v-;_}#&I@xhuB??v)SWQGj6k&%Pijl~
zMlkqDjn?2%THCX+@Kq5F4kq~wu250d@-Ny*3$DNH>QAi`Lu2bpK}g*u52emdM9{;>
zzy)6qvdCk{)g;-^&CKm&S`ICGjv&E`JMe3P`g@BqQ-rZ0F3?nY=-85=5!PG|O8M+&
zDP_n`q!pGQ?e1oI)d#OC(w|&@<Jp><3k=}P{*B5wB?&1QxQ=O=`nZqH^N>Gdb~;)Z
z{B(m%>Z$c{#sKIyGfTIv0}b6oi>0X;da}t6v^sYLw~=mhx1<U?mfQSUB{u+on6uQ8
z13UYazVoTm-YVBCVaRcg$(<SS6v786e5r^o-=w0gFxBau`?06(x->RBl<J#j+`DGg
zD0{I{ndR#vBRGCn7qw|RUnk3F$97ilDGRFj@{X?N_rbZ?y|oPi@1e+VJYpi^@pb+w
zimcSzPe?RM`n9!O8fHhP?Qq$i?(vE$O&9b%f#HRV;FG4vZs%Y?Q#F6Kx}VW-Au>p{
z;Fx(FXZoxg5Q7I!nbE+l{6sQt6o1=!@xEGXH<6Tvjt^@;Lotwu|NZyzb4MS4N6oGJ
zC^V08+j;Hrb8h)|={)^?X5`2m7BDcw#Vzq{g1qyQ(?h+c>hoX@zxHcqigB&7dYL0g
zscVMSjkoOajbvJ4*lQmYXrh8NFGUfbn;>>zu{Je?nu*F;a#2aim^$bVU>Mi0H&Hm1
zUyR@5o4<oVT~XdUa|GX&GLSxuo1a76W+U`^`sbMtpG#_i2M{X~i7NSRt!t_r&_(8W
z7i7Ru1~6|XRS&Pc=2hAA#ShlYO_F^qV`S&K%Xrj=%E!xK7$(r)b#s<gu=Dkd9=~iu
z<$ZanxOf+==;|P+<jLfNS(~q$K<9d5>u!h@!`cb{TwwQsF1!ro$4#+>obkz>uc9Tr
zP8@00g&RD2>i{cn`KNXNS=P*+yL#1(@HlASy%AVN;a|kCL%>cED$d$!DbTX-jTr%V
z1lKOrz(#{hH~_@c77G27H-nsVm0!5VUN9Ne`cDM6vy-l<W|?0-f^v|T8BMWc5H?<k
z^Q#|JnvR<cxy>68L^&tA`9_|G^fm0BB5j=J{Z)!T$jDp*!GnSsduG+9*1WtOv!K7P
z_PaFqB!0m(T9Jm*G)-<)bI@yed0xAibjM^e=jXrlb6Z1!?J)74oAV72^hKyp1mYZ=
zTNZ#Ddwq^OkKzW~=Z(iCCSrL5Y#16rLY<ho7mC?18dCOHcur515f_d?oEIAw-Ak({
zPpye6M(l2G+YjF3GVapGsk3G{8QJ}+UC0!9hs$k<r_IZN)GrP*UH-P9EtlDfsW;!3
z8(vE+8_=jR&@qU*bz-RTccu)-WGyvlk3O@yzTwfu_>1~^I?*?%bxo+<l#i17YMmO;
z5G?0UWK`gNI#=S6#?Zh%EJf3x@V^tt%xdj~f>cn#)+9l^HC0-dq%l0k3@y87=T^nQ
zACZPpy7BR`K2eQZD0u?!%!^C91<1<u(ydP2P1pG>dMMLFA~s|8VWZrwH_Tn6B6I(G
zBq9APIq8B>!ZeAPL6lZ<mw^Y0B>US+;LnRt03zYmNg^_4pM4{FF2FoDhks9Z!9(xg
z1YPxDi3d&Y&EJDWp3%Ejcg;BxamDzF#YUD;3+2DSL_*WgS43jJ7ty|Bl|C}hy#8{a
zCiB`a?|T8-niCtBbl2SwhS~4W(P^XAL)^F;bR;xP8ZP$=ZUnkCPC*~$+~M?fywM(R
z!j*+9ndJZZZEGJ%l_mh4tOJ+wDDoIq`cU1~Y2lb(fTw{6ycblg0p$M)!x2?sIWM0)
znV1vkz1oQBo(Et^Gj1O<8FMzbdA)!LSm5vEH9(v9!U$2`HDNNKieHpNC$R*VE<;sR
z_@GzE%yokms8HBa-FkPE%P_RuE^Tbqmb1r1=&<%`I#o>gN5HY}mPK~tXm^+?WM_-d
zCB_;W%qllp&mI|YnYc*65T!>ZHt&phYdSnUIBJd*+6*LBHJ<D@tdUjWMNd9gxmHxp
zC{fVi2XshUK=1i^Y2m?jmCqDn)V!6**k<_C7Cl-**0jJR9Kin#b|=_Iotb!e{MUM=
zjEj)CTOlbbun0$^eiTm*_gX#aixqdgfK9Yo&{gZW{chAd@#w@(r~<-7k^}EC?zx1*
zNn=%Q+meQAxr~8+9&fpQbeJ4ct@EgrqB>s5!rimQxCkBUm~qaKPC+`mnYD-+xmlrv
z%#_TAs^!f_Qob+KlGyR{ig*-(u(y;Zzh900_r2_oOkMg16jLmY#VEH|`A3_QNt%jw
zE<CZ{bP(pXukifqOct<)>cEm`t!u)U8Lx@K$d@Utz7#Eqzc9e#ZdiBN7=D`?QLdkj
z@=G1C(MStQ9Q379d$c~Gxzag#ufR?Cp&|f<hBm61G?k@rE5+6FRl_B|K<Kx@kY1Td
zAkEwP%y;~^DH(+Qx%|BJsOQA3bEHyG`#9ov?UUFtUWR%(^ZP<ZPl4Ogk}kFg?=lqs
z`O8;Pti&cr@IFd#vF+t<e(XY!YfQm_O0BbP-;lKGbyb`GffRetxi0Y}+}@TkR0|A4
zn7mF!4o%v0YkERXiBe}uka~$UXuNx0BVnNoO0q4C$6w}<85jmLQuq%aLu4_m5Hzor
zl2#fF-9-fu4aVe?9KLnV68%Oo19>1bPJ<tM#vtz_4;nh>BZjM}4zI}_%uEkkbR<g~
zJ45S_=BljB+wm+WAB>CM(&U+ToY+Y9+QuSd-q6N3MeRm7ZA(tj_--{8@VWvUS8Jsv
z-*A*Y;j+1;vrzHT^P>l23O$`R<PEf*)81`$A1aOLPjV|)4oLPtT}@sGeogvDFQ`x)
zOGiW~I}E#~r&rjREcpV=lgRalhi;%rSU<rbBp6uBr_u_4Q|(ku>quF9wC(yxbv<*c
z!TBGkB$2y{UND=`h)su=kV{P26bC5EMyGG6m>O0U^STP>RJ4kaQUIx@Vl^zai>>(m
z?6o33c;w27Ru6o+nQRorgrW?5kTcWWI4B349M#gy)cU@1lTFynwNtBHXIc~CQNhs5
z>d|EwjCO~f9$O9}9Rb$8lzXq5*MOE;=hnAiR(|~3jt1K+3N%a-A|eC-?IpRaqEH><
z+WA>*r>bW1TwbC8j9j^Ic^QTpWd4?CyE4Adi`G)moDN7KiX*-<c?eNywj{rmQAm|^
zK+#u+>Q?aT-aFD{hw~XmNiHAz-p3Uhd+)E?4zWNQi@;>JaaZ`2W>r4(;-6TBsc95d
z3GC6HGPrKT#-2aqs@I4wRokE6KY_#l9Z<Z>2b5u=1qAeh5Ay#66vO<iH+6IXm^%O%
zY+NsWZC!CW8&5sHVbVP&3%b!VvOis94Xz0?OHu6~Xq00Wx7B1oEHlXpiT?m$DM#0Q
z|Aw9IpE8m<@6XPz8APN>00nU3#QZJ@uvT=<lp3J2A<Sp2LwcjY^bbBHOW5i5euOE=
zAEq-!&32nZqfESQIrB%#C~VbZ43JlbQ56AxeD_^)`P4a`#(mF^!mPLmxpcf*fuV3>
z41gIp-AgpTpdN43fc)Ijsb`zbf0PZl%ej8{CqhLc34JF&P|06~aaDjnZB{300@{Eu
z!;ZCe4dd3SM|=Ea90L{*F(kNjMErM7gt+AxD!vVENehhkh~8ZrV(i>2a=Q0t-hRVy
zS~>>sFnhCy+=vfmwkW0gd5^4voY|-jiSBAK8r9ofIg?V>0CIVu2@rTiM_JDa=-!oM
zS>E&6XvIfh^V&2!%f-xAz(PlX_iN`9#Mh6Lv?Q!mlsvfIeV>1Ha&o!*&Gd2mcKPw<
z!q&?rh#R*hx+Gas#hnih6=3O)Hma1!3{0K*C)rsD%Na>l0z4lbBU}{Z5MjaLLLa(G
z;;i2fOJ6TGG^py}zUg8%XtL>`=^uKfY&>^a@C=d!W;T5|3T40{-dy4!8dn%v%?*xp
zDA=4DsiB1}+mT%WlX!G4j*RzL-+T|4f^#Sf37OI^elWZg_};>zLL;0!kh4}juN1u4
zwheTI&=oUKrfdhAWRC%iM|=bM&2`}C&l(TxyhoMP@V^zW1)Nfgq7vf&Smh)f&?Elt
z?zfM+(u|W3-Q+(aJbIn7j!u@~bc*ndH|Y+QO3_feMj;|cGMS(up!<uKpmd8N2QcX%
zO|&0*)rGC8B!a)<UqGmi%u5a!Ph59d$ytF|b(2xwfETsZOHhLbP$gMqTCU^JGh^mU
zQU4*2mdRJ4>U0XwhNoN<Q-sDuq254B*nvvkr3-2fVv<jo!-`n)VK7o@2aR<iajmXb
z@mHI^0`sw)2F^COGe7#nJjh1MHhzb;076#akR1+kEW`CP_m42=tDZQ9K04Vy+#uw8
zh@SKM6(_X#;B|WWVFL)hNz4u$qE6Lv)rCq$qJ!^`WSJynwa?!mWUvdnt`m_59w!Qp
zBF{V|lZBt8u%(~ma%N#Nw^=&Zos4Y^(GZ&<9TO@4#>vaGR@48k!gl2HS4tyU8o)k=
zo#&zXj8vi>2fE*wg=)bFMtG5Xd}&qn4*hr4^iL*^fCqUuh|Zhm!;y0!FTjWAbh>y}
zsF!T7zYV2y<!4j}{J5>5V$Yx4j$*It1kNcgKg>0;1n-nUSx*E6kY|c@l0=K}p6!3N
zOGs>jelsy*ANom%YxF%Tu{IKT9mNds=KhxtKL}_l>9sfiWD;=E=?nHR$Ps<ncxxcQ
z`N{U2lpI8{(Q-^P2UIoN95s8(pn;X6`MWJP{*c@55Nb{kmYg;IpEFO;Ggn8BbLt{s
zjHPuLNI)MAuamZYr>wNoXws)c@<mh3A*;7+&{8&^7jE|~Q>ptUyDyz9GA$u4t@wm1
zf+}fSdL80-SjN|2=$l@{Zyx&owr~YXz!R{np5|HC+P0)tssh{_66O5~lQ||@^fn68
zyZBu|jn#-#rzIO9wxJm1g?Ph<P_UU#k0BW)UH`fkORS|ghCeLbP~@%e?6i35EY$YN
zB~*Ok+<K}r-v9u7XCji=I10QJIrh^yp>jrYYf?4eGdNOTZE^9{F2C=Pi5BXMDv#e<
z$=4fUw9VzZV=hKUbHX&s!0!$3N^@ukRzc|Cq0EUAdy?c{v0O`pg!r@C1I48H4}R?Q
zz6Hso3XW%GcMM#18_RCf3UcPYoKVTxpu{yjbI4ddhk1hx;M<;byP=G^(>7Kk=JGhh
z8i1(-T?&0^|H(D<9*Bq+)kB|&Jr+k6bTSN=)uVz=Ab|hG>hq8peDZ!!^hiG5G>|}#
zCDyx!`|wGzG{jen<PrP{K!)l~X$jepkEC*8{yB(1wdrH7j6o0xX%Lc1Ji`Gxui#NO
zV^$e5Z)2Yry>w17a{BDjyq7OF3NxbTGdLWuwDfC61Qx2Nv1078yl^6yC@enweptp=
z31ZTn&mAonTr#pdutn|OQ7iS=R%sB~xKl(eH8OCTi0JA{xD&PvztC}_wEMXACcys8
zkQklHMH}9W7hM~K9HVeQh$>%@xLw)5K3)s2A-mOrIO42p*lr;11zrZ-><LM*W^_1i
zay6-J^I6=HS`ncPGS$RWmb5pNt&-5av&5S%{g>(Jt*&f+AVZ`Ay%f~;O^jha{6)eP
zLG68PHv3;+iaStQNe|rhwm%X6t{3MAp1|82qkHR%4~e3_*U7zj^nRUGmS=8~a%U_w
z%n^L+IfpTqYjqY|jtmKdj@;pCt_nDoV;Y$fZpIDUz75Obzj;Vg7N+a7S$erjRa+U^
z?4TcfDz3f-Buy!=lUgkXxlhrXFy%n3Y^s9t7%2QUBlqECT_Aahy@EY!ZRZtdh(7?H
zcMrFhG*2Lz%?ogcknN=7t|TorUgK&678eDzi947i2qG+BaLPLwS@62OHPPhr_+b)Z
z-mKQR8j|)8G4tD`N<M9{k<Yf!`{}<UkKGN?w2Q{qyZHzr$a`ZR@z8KXmV!^_*>41W
zzBmwctF7<)U=Kp#KfURqcXhRUWcVVmD!~}dXZ9#b#>j$b`8+#wckHtBvijCiNB{C8
zzC-D%4~vKezW$}N&tzmxyiAaFLX>7O&UR|_kx;8=Pk8{$>H6jx&%CZ2U?_ToSrUB{
znnslc?eGAB|Ngjisj<h-Ugslidi_fgs06HsFnUl%x<)6qS+rjk2JN-Edlu|?pW240
z%%>l5&8weZW%A5f#S590Md6`a-!TaCdj^W2!9Oq7B8}~dG#_$@MgUkhHo`{*f0q<s
zNBV{?H*<rZu{R?2Ml>nl(!GWuA*g?BNyHwA8PsQ8p9cThzJj;N2Kq&C{1VF~kZrnw
zG~Imzc1qGW_V91NhJRbY9=%p_%pL!sX`w|I+OHL~5q%IE<BnAJuICu=WG(4FZxF|{
zQ)lum*zJAvO{u!nx~jZ2pwk?5a00mvcPcmYNRGKfkW7{6I-?Oj029My*}YwvSCnV!
zs@f0c{{{<$RB(MAz2A!B2P`FJ_U~#FWJi}xC=Ylicb^>Pm2A8o$%>tF94}*;V(JmR
z(;eFw5Y~kE5Cf84J5OJ2e~=siRY3E$n+p}8;hGP1QAjJrYn4blaPoox7U-QlW*1XG
z=b?F%tTeS6n~Q{(<hn~s5-9pv&KCKtXA+Bf8r7A$*PrM|XN=t1lqc-$7gVsL?`K@A
zuQX-G2Odk-<o{3uS~4&BC-qgCsX(=lP-LgTsAEA~vmYM<oJ+B&M@{UsiZ>iBTzQy7
zU=mY^9uVRU5<ElKZ#`D|w@QR*8qd$4dWQAv*kJXtWMEQ+D)H?NEcd5abMIe9AVI+Z
zc}(alIm&Nr73&52yD|+TEv7ROaf(r|B$!_7QBs2LlM!IIGte0+PT#zWvx^72oxd@#
zk6P+i7P<Z4sj0nFQm1D)WdgC}24F+lXkVDRVi0j;p{ZQ1o*u(j8fwm+BiZXatzuy6
zOmNNTv;uaSxzs0tE+y7#VVhECLlx2r_t|4WR<4p`WbnwCYF)m6>W_R$!E_&w2P5t(
zIo^sroD6P&WAYW!>`#}IbajlWZMIGp^JRoY)@;Q;-|Q{HmEwDzZsK&@DiLk9?~Bt3
zwXFFW`7O+M`KOwXvco>T#H8fwP~Be0!Xwet;jPmQvPY!l4jJw|B&@8KLCL!<>)kR7
z1}l}YaB63+9tiBQ#H1K@`b($ZJ86nrS7_D2-JO-LxD}6c%wB{vnyM&_ZI*>rFQ>7Q
z`5E^0A{6c{zH?KfzIm%U(WF_&2|R8&w=+-mI$A_r6}^1IOzV0b)*PokmseIPMEyLL
zdLa9t<shI}MH;@(M?YHP0^%m-1`ufvJ6wO;U%&{ulowz)1`Hi(B5zU4Z80RvzQBp5
z%`*iqiX1=rMiRTmzdF%K3UX4pyU9sXJPN#y9YpR6iMK2)q0Cjw<3S0sy0aTZNtc#c
zKpUGTD^(NO{G|CRwStiO9%vUMiN;ufV(|xdXdAq@uX(?Ct1lFo;f7!P5LWDd7_2>)
zgHk9p8eBsHo4$eN{;9ASib*nu(zB5P9zKd)zOXy0%3M$rK6ut2WHp@c80)69)?ioH
zuM+A}c~il8)b%=F*rTm$+d&0S5~am`BsPtqu=1k0)0lB`f8`6E)KG8j#Io1j1;+O?
zQe-0M-`BIio5Fe)Jip=d`*HIcMQ2NLizu9+-@9z~+$d1RD{KEZIjUC1o_VTkcEXPF
zu6Rcsm|nk{>+!ex;5VfWcZ6d>(SDSbJ!g$ZyQi^Gv*A@*L)Y14x?Ch?{$q*dGX^|8
z*-yoh&&yE_0>AiILqml?OiOX2whvQH17p_x206!UV2MIs?36=48MY&e<t|f5`(>_B
z(YS=9kh}C)qZ6u90aT82bwqYx!o)OkS0KQ=h&|lqNKgcqlf|eY`||tm?KiJhNvoTP
za@(e_H&TPLIjZ_HY8HKR@3Io|(|kpWfK63O@3w@ec<|s?9{gMDkPk$tRW-cUw%6Vq
z-x7uc9S!}7mxILfaXRY&in)J?nBS`k_`UzvT}f^6Cc7P?PTtp16wbTodw!6GTmY<<
zPy0IFgGSgx+=h(LVLV1P3kj(CML1pKN!*x1Gs&#P&{ZpYF8)Qa1Rko|6Ou{Epqs>L
z7u6$qM^Kb$*;9+AjY`Wpj<N<Fv&6g-qzi?pL~#-NJ5tzd6n~YrjB6H!d;$}v^Bb>7
zOJ{=K4rY~72CS5uL4nf;6y^dM#^q!2SPWCB1WV3}O6Q<B8$oi+w|uVbL6%8kNPqGt
zRpL3E=vZ|_-ZI$tLMv>IsteC%gM$E|nstPaE^Pnn9_chVa`$wUs-GpJ$eqRdMj%0*
zmoDfU#&x5&VF6pgYeHzwkqiY0*4NpwcWD(WO{>gJKx!8s5cFkpzKHJkI5=@hZCIH8
zhji(jNYdCB$+?u^l-5I@ypDn_f3>05bO;((hI&hOTV@YkLLr$5>nt+=>QTv|c21nT
z#S{S)L2h*-*WFP3%|Xw0jAyx_;VqWUj=___{_5j+ZA<faL<kJv;4ZGIXQetJ6e90?
zJj!ek#afF9H%+qSPgOSDHu-4jWhIjV60*v8XNurOLY8r7a7vmu>F>mfVSmqYdu0Sv
zO#=13%JkiWV__@AA`HJ5I&Y{Yimez0+LHz>N>&l)PzSgg&Ri{5w+3QRCl*ONoPniP
zQt!O#!%%b~c+S=kZUz`;v|#$n6PjS{ed~r+TI^(Kv*;PLq&BiZxp#=-d8tt?F_L5(
zscrtlSQ^%UnAzK-Pa1kUTjEv%U4v{7M4cNVEjiB+jkYSvL=U>6lW>$qwZMwds~O&2
zqf^jRSVxOcX>DDTnaF+~fDh8tNo*_!?!Q#e<?&u^=0=c0|JLZk-zvlXTT~^>F?{(q
zt`wdt&Xy$qsy=~X{kTxu9!IWM?N<w`dv9DaYUt-wH${dGPm&CIsg5JP$1oZc_*#6^
zDoOkLP2rYx(rLzpXbi7?#2LACLDFoOBpHn6PCHRW7Tq7+z_wk=g03d!ui%uMB3%2P
z7OmZK){C{yo}ir~BC=jpd`{bNB47I&E|EELhGG^U6=JTk!FI~MX=q02R`iL#FQvqM
zACC6Y)?jYv67h(pS~M{m=O#tzh>5vGp)rU$t&p}y9&P=`g@KkYSCRd~X=;)8695hQ
zXz$<#KoixyPJ$YC;UfiCY5<RZ_?emJ#$fjl+nUTkDXt8xjoyzkAgI*S!I>>Xu+<~M
z#P?oX2YcKZa$O^7l+Qv?%xy`djX#%jQg%KVZvFx%(T!VjCiSrBi+|+d5IA6&WUx3L
z@1$fwnWjmFIA<&x(zEN+({S6>P+}9b_vejWA&OOV4xp+{R%F-X!%92q((zf(6X(x{
zn|tS-3RW2D*9U@@3~ecds29K}U4_23=|^hYtaHuDm+b(xwNj`l&zwZ;L02Ut9}_AK
zhj!~$m`kGksuG;OpXYw_&1!HWWq1WsLMzH{+4oq`DC$#6frL>Qbmnibvz3pGZehG2
z&u(3OsZwV_VONuEts)xLtyvcg8}(%3Qss^#?=?^I+Q|0<7#FvyxD=&-np$*xB|bW(
z@>tZZG<FSR6IY7lbH222=Scw?id<m9Jg;n`8v!QpU#vu`@_Te+1&u_*6HB?6$ZjVy
zet4p=;+JW1V+RT$f2<4!MhngT3iX4pb-r*V4=n#2^K6Tqh8vlOooikv-_~xoK|hy>
z`d^!i6AOk%HwcfX+Ah~!l(lNhBY2P^63ot8NI00Pr0`M~?MMM+*I}4rQOvy`Arx0N
zUXpYCk<7^3FY=)$D-b`=@A{0_N;yQlGu+PvX(AdLf=52yI(H;HEe@x%GV{5y-6EeZ
zG@HfI+Ri|9B4uPJ@u6FR`r3Vylh)eGhyFBL6E{d5CW&J5rye$~nGMN`lT%g(h2nzZ
zta~-*DPhE5+g{{VMtN2l{cCL2b<~yLQZo*!b=A&v01Iw}cYM?+(@H(ydiMmms%fi{
zSU3Q5h@;Bcl-I+4T0<L3s%`}q7`hf5Y@r`l5L8qY_za;mI)pZa<o0ab@aX=HKh8<i
zp1CChbybw2OM+lC6snLfPPil5uUy|eZ(Oe7tl}X*CjB#`kNSXAy-2Kl<93QTzh$nR
z*0x*$rI$sqG<{QffbL8=1#`{n+kj8CotnM9)iHs?dDg<_=C+1j5aT2y4j%LSAGutU
zePbQ4T@eXrM?fV0O&So`3nzu?L+&uR6TYQOcCu=ym6NmGUE>=W<bqj8ct4upO}Zz-
zbmM%;5m@uzC70pw3AK`Vvvko&uHA<@HIv0=xC9n2ESqSCw^KGeNIEsBHV{p1gNoOh
zgp)-{nah;Y`vSTG5s($?dp*a|S4s-TjG8WUrCu+UqS53=qax<<5VI(zjB-QBatXuG
zLcUxsOdHUDL<y9x=yjbU>K>EN@)^x65V`_da`_5+3}9v+Mx1%UYJS@os`QwKp_oiE
zVJ87of0Lg(d?Z3j3()E9*{Q;*PcdCU)QLaw`^{<KkPDkTO89nw9O?IC+MQeAtgUOf
zSMV+yw^f$(p_6PK$EuaUJl=*QGh1V4<Ehk2q6^!$?amG9ae$iO%m@1Tmdz@r93)j?
zZ2aZWbIKT`9%%0#EM(wy%eaaPSq(~bs=*E1=ehErUg$MJ?{TF#x#Sh;%CitUGfa_v
z%<;C@IQ`lQMa%KXD4jHs1!Ucbm7!#zqe_;b;M-Z;WDz`qk4SV0_t`?4v9=;_bz2<%
zU?|y5ZloXrK6-ZL8-jLEtMF<Y@`NAdq^w89>pFI+<W8CEa6C}tr1Qo(S4*eS8d+gl
z7Fk-a4P3cE*tgi!w%PGW*we4xX*hbY`Jx@Iq91rpA>~9r{qh(7+7Jl~ywDjmZ7NZl
z;kXa>g2VW>4+U_AJE|mKITN+A<5ZT*{x#>kTo>zy7&=;RKyMS*IcvfFyXzEFq4$Dp
z6p@U$8>OJ4<x(%bhR(sLoNH=~Fm7(g0b5mxrJkVVDLC4U4f#*(OUeJkj(9}|F}nT5
z1KW=wF;B)i4KtZgpB)wl?67zIBF2-NH=))oLwop}92e=5_VrnNb+vd=PwbpU_%qe|
zInZ{mEnz|_0*!p9Cx}ZUHnbvTiSa4rt7iqIoD40y$sB<#!vs?g;==Z6TRDlRWq2<e
zRx^TO8XNXr<KiYf0;IyjwYf9Ce-D``Q%9GWIP!q^XrTm#F-TN3HRtH$3AI;1uc)mA
z`b~;d<+4RVnq@RuWF^MbIg7<cL_{6e=nV)ZNe*mzq|{mYpt{0JXt#=Whk!5H0G?o&
zoeIYDysTgg19HGeglv?Luc}-qifZc5^a?JE14b3tszToID?zpts}2QIEyRyuH)I#g
zonf#sVAK{w8)qR@fF=ZqKVPST?vY2ej$^~!hR1z`rv$p3;de=mN+QA|{9-@tR*{>s
zcyCMb=6Q@rG(*lNV~R}YqJ09$I243<EUr}+CmeW(Z?t~%KZHjQ-JQlAXd6|;PLcgX
zj!gZ(A-N+HjZ$x90*1HOwPaJQHK{`7V&jmH>xV>lavB_VCgy3S#OLoV%4x%6hbuE>
zYckTi3B^&8&dS`?gSL<^6AzvD1!*`!PBKd(Y8)zrrM~wRT;dxXiZMk>EqK(@XPk{%
z-<@6VDm?^q+`c6vGR+TO%EX8qg-vdw63Y|3DNszaQra<8RH#z*F*@8Yt|!Up60*7x
z)RwSGOis-n7t8C&0^PL@vY%MUeIs=8Vi9~)1CUa5PN@alX0om<2E32~=FaCU>*|(D
zRdh-mhR)J8173vozm##kYw-2viu5{Z*v6A7rNoa#P!-`*rpj$x8I~|rTt6@Bc&aN!
znqm+->r5KUr5XYg4R{*dok+drbLJ9V^RGhEhd0uf+*4APo9doWZLGoTYjJr}>*Uju
z;fSKY*aZYd@$5pPZnJ9glrk~>u(VLoK&{*zAK=@T(E6=_yojwOM^l-kf!CY+mCoZ9
zblqQCaxA?0lvJONW8P<p%~gvQ=2z>kKiVAT+_si@^^T>qeD1+KN1iA3e<J!lSL^-f
zag>r(F}rkA8^tic%W87uB&;h<*M9KZm(R0I*d0G(y{*^ZDzod4ZubJ>L&nQ_Ua8-E
z`BiRR`@f3h^qoY^8;Y-f_qI&g9J>@nisT?aUO$X#1DG)LeTK+byCgd6JThVC59_B^
z=;>dO-)Jl8Y%ol|jHD`*i9#H8mT@GIJz&lxXywer8_a7B*qx+D;bU7t&iU<fcv*VW
z6aWF-Rm#qZ7smxQFz11WtCoMgG~k5Pj!Cyk9n9c0>cSL+Hb5CINViW6Ka<xID_Uw#
zsN!mj`^e~c1<Ud6;ISOQsrbh5VyDK`%N}H3={`kA=QOG;y?&H&14VELig^e$Wr<IO
z;DeAoFzR5+=I}SOaOre)gb&?&tg(DEarF3FyJyMB&SeKvAht9Y>R7KH?1X!t1^KnY
zHlw~Iy1^cFxeu;SUr~M%F@(bB?VaA5@qLWiWVXkfu*v(y`4;!%|J$AEcDlJ5ET6>Y
zRi7ssQRL<Os)Sf=H=DGpkxTw6>r$7L95Nm|#dorv{hBg{)Rm`|bZSmAw=ZN(+@8Q$
zFl8tt7Ol$(mHDC{X(f?Sh9%Aos3c^ps~dQGokAFpbvdTN08F<kmPo8@9w_L4b<F6c
zPJJEB>V8!y=n9Cb;K%V<YbPe`4N>lx>TE6v%=1m2gX6+m=8&9ZS6&AY{AIzsZ!Ig_
zD5T5U7Q&Q_^JLE<t_Kd$nURj?V8A9R3ar#z@kBf=Un{d(Rhfg#`9)b0!8N>Y$^&W2
z7bz#rg<f)@cEM_@DRW37NbAv3rG_YC5Sl}l8%|^UBxH4^@FxcfzHICBLPW|}_QF~T
z6CbeTai}S|JjA9r?jg^Y8Q{ZhwBPZ^L=L)E{E~sYV{p8400qWn_{IK;W3H{{hfAGB
zee%{qIUCRr7(sM*%VZLSFhjYX*p>KizM?!tVT`;^0mdBVk}!h=_JN1$^y3Y^r&SR1
zo9CJ0PBkr=;jT(wszR0{q_+k?f_t)QNl%gsIGNe5u5jp@Mdna)g}%1P$BCUFDcg*P
zxhU$zDYG*Ec<~If?>nxeB3_-VjO^a}4ZJmMoo>hgahpyn)6yyEnu(HUYse$r>==Y+
zlxDFM_E~o1ahU@qVc&C;sXtNc_Loi1<*wa<roe9dAYKONO@-tY39!R&x)+<??=2id
z_*#J&-M;+Z-l%6JDX(G*LB`rSYR;cjFu!Pa!J%<`)wJ8PJtwwU6K=E)PeK>b)wrO8
zB*nBMt5s?W?U{lVx0|!`u=(}nTPG*=vv5~#NSf&jFb=n>IF?HseA^0dzz{i-`~gEi
zL~JiuX$0iK!M|A=IZ{>}dyEWamZIBNwdsSVicYqfl5>na>1BGn!NCA@^%AVDzPHm@
z1MCo=?<3x&=R$`(D{y8rYPH~<Z-cQuoo_Q>x-^PlXKnqRhm)1lySumh)6dhF!AGO=
zXQ$d&Mah%A+9{+=!oE$Yi^X4nb*PF5C)VuS)4MYGc$&B!^n)*8CyJ9Uxc9R8BQ5yL
zhhIKC?KodbqAIra8D^^=FPCNg<F{cFPS>v%Rz=^PI5}rec{31#@Ue;z{}d(I({DAh
zi1XlUWBqXK!Emh`%{OL$^YMQBxbt^*^YvBFdY@S{X`4#9C>(mFo#Eu>>BoFsoWH%;
z@!`Ccv{v+6Br-D0*3E>SP)-9~&~u1(^I+4G%t%=DclYsqI|DR=a2y}0#$wPoTYl^}
zvqk-Jn?x5JSp^7^X_}*iF{OlGOkD53)eKP@em>?J68QOb8&7NGK@PaHQ}T(+PI)A8
zR+%tJe&fK`ku+=O{maJ;3u@XsJtPCEzWY@M{^9Jz&SkCBd2Gz|hUf%|y;znR5kJwl
zIZUA!JtKgZ=euKux^*!9kV_CZI%>INXb8suSyoh~tS`Kzt7UrzY!jsIL%S*W-Nlg=
zkmGYSAku`89f@T~nCHva_XY4QJazJ1TXHV9U98t1vE<JW%NyxQCNF%(rr<AYm=bj2
zH&Ywv=}Da5`n31sDHY*lwifXKZGSz!1pIpTsP8g2x)AYcPYeHPTkOTV#{&t`Kdg@I
zC9`TB2Rfy>`e5?SYXUA{ao(RguLF@jy=$CJ+6kOGyM!M*uQxn2o0RZ~Fa`Ibiz%23
zZ3|#Cm(>go5IS=Kb8h=aYgRLC*D$H~Lx&C1QFIT#&EI*1eV2N3Py1-jIcrp133GUD
zo*!vd5Z`?Pqf(K*;@^O8yaL;;VU9?umOQqWJV3~hUgWIU46ScssX#;rohbYqZ$u3!
z=~$%Z5$`vkcX-xN+bYs4RA9i1a|%LUU<QuWQXSjL+aEitMOVk5f)10km8V>T$kZ|r
zQd}X@iWN~mJ5&2{xU42b@jKnQ;}roV$%3$k0>zx0LHQyz!lB&pghgK@Vwqhrm5yY}
zrm?EAH$&OfvL)aR>xV!$G$8}~Mr-4FBIsoyUz1LXzc-5ZqmFG<sQf;B?J^VTd<86R
z^n1uh_zZFYM><Zf@svvS;E0%r%k?X}wZn^>X!#@RbyBp}^g$2#k{rD5W9tPJ7INwX
z=GmrhRCQ6jKG_Ch2|8Kxpdo#5y|wu7qil*0Nw-e!@^P93lTZT`wg&&GV|{D^clm!R
zvdx`)=whvCIleAEM$)uzeG7a(&S|(8uD%P7t^HAT6*^r!k``pf>3**|Ww^Op{zm*C
zBL|GPE@J{Q5YTQF(EnrPK=@xqj{m|;_jr0Aa3pels3Y~fn_UuUpPRB|XkDxqn7Qpo
z)U|A#t;gKA6QiWA$tU1|+|672JwFTYK?viwrcYlwz9Y7YfvAUcDsw&9UZf_o(ci6n
zWw~EaOiS7Jp<{BBa$ooq*SJSvM6pmbw|u)+EuOjaY<EkIJyuI$U>9ujvQRunAL0%D
z?H(g=SfIP0pf=xj*4|Q9IWGgz0~*=69{UwnEUo#~msWCsl7_ggoe&@GUX)%U-s|b1
zk}59UCHl3KFEy4#496vSy{@bv-Ax4zg!YH5tP^AO_dFeLcv!Y8FJ}~<M1VVmHuH!!
z?)Gjv`q3c6+arx6RgW<5rLjUJZgPAU8|CTlE|7kUT3;2$+neocWsqgWW$0m1PL+ld
zie?SR+iN8`gxB)haQ@ZpbzHbv^4i$=XEznLxFPV9IKv-GP5KxmkTql`e6Ge}dWQLG
zsks0zf3!8<hl`?L4{KFIn<;T%K|CtHbHHKC2|!@2RUgip$aFe}3X4F~r-GNO?^5ms
zWL?l4p_uRC@~RsW5+*LiCT!c7RAbi7VGf4wUt69LPjk`<MWQH0tB!LQX?4A#bq4?X
zJbS*UaUTl3Q)G#}8Gm&JUly?`O3gfB5iI^Z(8d?5!vq%iUnxl2$TlVG3gW=`IdZN@
zWv~jP3A!a7u6Nl<;2OGu`ntE;a0hNA^OM7ILA-R6S(8=7Fc0F$EW**l<)KZAvz67h
z{-h=CyJnhW<uHzD;{;h5<R7q6aFg2uHiheW8F^1nA&k*5?;*FZKCrfpBkux<uOTJ?
z-9}`>9@JSNmgHpDHXEmXk>HWev60M!*0GV<L{oFg4X?l3cu~;+kuD4T+=AD=*WH)y
zMtb2<u_#0RqnDM-sG=<oTDFSfQ-;0ytXOWAB5R)7^?@GTUF!+@?!xS5NgZBw%YqCp
z6LY&^QB6rdgI>S9e)+QC#T5PvTMasWX(xpL-7Uc1)r%E7Gpise`iSC8!%zk`4OQ|>
z1ZmX*%@Uj(8Yd~MkPNCQan3VA6$Fk>T5dr%5n%KSf_-=C1~Kdeb5I!I32^uN6zJsQ
z=lLXX(no5gx@XHHik_J?Np)c@BP#Hec97C`$=HQt@RGR$tDkLx1gK)L4v{D3L8)}T
zE#BlNu#93)s7y#HOmGZ<kcBxFM4YTJQIwN4?WdA~kTho|r5ENP6B8MC?p#smwM21K
z^S0I}k(BEHfa<BFpCYr}cam<EwDGSbP9(Qo5}E)O$nD<C=LHU!J&d<LGov#Nv6$<W
z1=-Z%8#;@4#<dRKcmo8h<o5rl#j&Orx~af7yY$tjw0UF&O@H~RCZF2tBxddR21!^G
zpt5C_K~r0be?{=+7ZZtmI$~%)`5(6z2dfqqj2i)`hQb>NWWq`HO3O|lmBE!<BBBj*
zO-e0Da48~z2UCM`*v4~rkdqHE>;8ZyDarN{@lm%iL*tsN+mm$ixrj4MJhSOh60O3m
zYat?B0%dEl#UmVKM0f_)k_G;z{36I9R0jArYohIZ+kE)7MJdcOguO$}E}{-N1!6-;
zsOk(+TLkJUq?yIKQ2xrjo;C}ck(^l1vls%2!p31-phLdI5%kA7(31Wx-4#9Fsnv0b
z)}%j*_OZiQ>x-LF09KdeM=NSMYum^5km4FViZ*C@x*Giu&qmhM$i3%mVvC!Ae(+qc
z?H+nQKcao#Hsu8p*l+m4#xh_SWFo%Q{*#s{NNm?Nl*PzVS+&wmB{1#uN=;RmXe6P5
ze0$CvWQX=*lxZO?eJ7Ei7oUDO9c$W*Wtdv5EnFRB1nPE=bd%l&^LAlAXUG`DU~*3L
zqG%cC--i&E8yke8H?nxV%XmDF)7l*XH-$M{5FX5&h}s;fDy<SZx-KJ=+BGvViJNV1
zis#o!rw|qJF{Rt+BAnU~a@a>|LJ|Dv%tGvo=a-p0Ori)Ou2Bt_sHh1Oa+A2ldC@-;
z^=k5$Ds(crCiP&E8O=4Zjy=5WU1}rvp{+CvU|ZQJpBTIEAGaQ!i4L`r`0B{{m)`1i
zah%x@gg|hbGAw-$#{NR$1fE2Z7tGK9;7o>0Q4>6(m`b1|m?P%6zJ0O@gffQo=Z0v?
zUuum$2}^D)^s&O3c1Aw18;V3x#L*0Kl{?c{=3p$kw_}#Rw<r;VHnkSe=1zqV%zEAD
ziE2-ub|Ns^bmTgT8J-x19>*l+S#i};JZbgs+b-~;`rTwFSbG~jt$4k<yW_eC>oJQz
zVUza_&}Of308|B*s|E*eH5QJEWX2x@6ig%%pRIGzJcLcg=n*1Z!E<^iAPnw@$Vh4G
zA|{|6e+9A1Y_-NsYH^KnL&L$-S0#8B_h~D5ow~&X1ZnT7>rxc$6`YqNoe7d4YNYoZ
z5J0J!?dO6if_vmy?=IIz7Wh&Xne)Iuu`7JVcQEA}RVnh$T+3J{o#%$Dg<s@XFHW0B
zRBPcs&o+#D+Xckx%+#T}Y)aTB8uw$#^s0+~$yks@nu-h>xY7ow7V%9Sm?V}}uknoV
zD9G7TuxZj~ll_~Z@TDGyvgPnZqhfISdq^ikWSy*zI`CV@dP0L{Xi?d28+M6W@9mti
z--O4Q%wm))j}9m2{?3Ohc3iJWXM7QUsm^^0dR%)#L?d-ioIr6W$+_8Rv2EQ||0wei
zY=2q(A`ezYAbJgF@u#Q4G{~JBuWi+T>%n}mA#|?(LYlbE7Uqw_5j>omVtop+Xo5IO
zqUbu|l*;c-bx|Q|Q2#&?V+^UVOtQLVdJD)|8~E}sx%_|!TxTaYCEsNqr*GBfg7V|9
zI%*_j96(p-`+V-yqjAb7S&Gzk>+!PIz9n1ELTfHNv=Y_X$9ljHY!h(z4RSB&@h0bs
zGPr~;{;7&7HyBAO^|e@Bo=E&~6+Y!a&ESz9k7)#^?r()^f%5B>F!=<yyM$#MyQ?NQ
z6@8RiAt*CbzOLh;gjh(DfxjT^ZyU)3f3gKdCGsV7Wor^^S28(j5OWXH^^n^ZZV-iQ
zeqQjVi1c=G8H8BDN(f2U)MX;MOF1mQWVrUI|CPDSn<9Xyzv|;wBQL0?(u8pY1#97}
z(GKXfF&D?vJ1(DH(o|}j((=K`-=N;NkTR$VDE|Hf#XqqFUNxpGp^2NIp*30hYv96a
zR<u#hcvw%+4*47Qu-)$TfjI7aR<1Sb+Ak&}ow0V){1+aKDRXX<xb)B2^305p6F{Qd
zZbQ|x`8XC3G!|O)O1F3fNgW?ZTSreqm^wG6TUu{X)s68-U`9vpv*ZXmax_$mJ<{z~
zH5T<3(yekC+&!RqiLCiy4qs|RX}|}PV%eKUtw(mwnPrwFoyl16>l0ZkNRLAl%{M90
zsh7K1tSaUi{V^G)xlue(lwMgsz6C&T`rHD$zj9FTz?W9b4tJYObfzi`TB6}%KQ1EI
zXmacT^}g<#BM$o{H<n$SZT<OPL3WZHDSP3_*?n8^O*VIw<<sRS_Ui<fg91g<9jZ6`
zgULSJTeX6AA}ui?kg>nnOa-Z$y*eGzN(Zr4grySn*w|GzTF1U*2g+Xu;^(0K3;lLe
zN?l`*Yb3dceqVerrO={i%1gjLh{*A*@$F?z^%*%FR_JgVKW_|lyFuaNpF2yU;u@L*
zm}iGA>QJe<bC`=u*sew1PkHvZ5>U~-U?wM3%P1>k9s8jhTdQ;aGpRaq9fgUr4U1Or
z4Ccqv@A^~Ga1ACGc3I;nCe-uNTzmTWtU(p&X46CI_4?mKK1A@1jYtcZgD0a(UaL;b
zZ6_Z>4Sq2tHqZa+ugKlk6+!M8Wu7EJDs>u`%qZq&AVlNFXbzN@_DuT`2Z0+UZ`!yS
zZs9&FuWNrL7ZWnGG-ZzaC3GB!#Me4NA$zDgF<_XB$PB?iLta}rK^TOby9`A4>Gz0$
zI%LMfo#o5A&IbjQQYWw0Dz$HtnWLd|TWWD@Pf0NZxGtF{9-~S-m^ec_Y%3dvI3bS1
z8<@#K|8SHk)Mx`rBAiCWI>NP;ud!lVl_$oc3qgzjHLSbAM=~52Zv|*byd#yn%kV;=
z@YI7XyGD=uWFWQPNAUfkYPa?U-z`lac-P-4-=jzG*%YvuFFDa}`fLfNwH?ypi412-
zU=Jl{=qacV9)~_|%q(srlMHD;p+fg!?EOPdgyn0bn&>CQI#3$YZAw1U0iKc-*j`{M
zhg1q+R!ysNDgx0}(Y&N<OT~;+DPwGLZvtT!(H?cspHTkbVTg?0{Xo{&IY9m#QWvNn
zFVlG5?M+NJm~cN8dTRM+KCg#a*ZZZjoj{&7a3vjRxDUbd?iQA$)KNC|tIt4726S?=
zqQPWVyg39@HEq>@kP4c<Q8zFWB?XMi#f*%cKP?SEhM63CKewwri9twc6LG={5r6xa
zl;F@}V|qfY9{-hDItvsMVZ6?k1lEywZyIBxoQ?XXGyQ%ix$k=-(WYK#NQPOlWcZEI
zim%v$vIytV;9f1=C_T0u0&=3`U1$!|4C~Q9UnvF0Y*M|{7vUJf+O&O94~JRc;>b5a
zC3!M^2mC<4IG8q2_%HDd7y5^69U^DoZWNwj+<tlaL@4J)74-dXla_$7QXFXswE{hy
z(9eL4Au6nkfi$zak=;1PV4()p5@z-CHv&>V1`IeZPtE<;Y_bLHiJJ*kLhO^F9BG#(
zDJa`aRu<wC;mwS_ci0M%_yurC&cWw1J7&>W6AlV;DOu_mGLulxF>%)^)AnxKN*LLM
z(ldNPu7iP}D@xQ3_RWyKh-n@*F$tyKsu_3;IFD~I??Iaq;O|~+wV7$%WlY$!cm^<W
zm56+s7K?Xh*sJ8JlUZ_qbTs$i49t2bZTUlM*)f;KI7XpMzW@E(-{3aBvG_z25^^7G
z6QxqP&D{=6u<wIh>KKBECL;3dG?-Jf_TEl;pYBtRq^28EuY_BOf#x#-@k4M<U6%S)
z9rjAsumWAoR-|m{bU_SyEU9I$@_kxNZt6DL-*&0m;5>qwcG2e!YI~p(5$FisKDJJ(
zLN2;w*nXN-nvOOA5-&d6DimKav(AMNc4Fm*Z{yDMrFHNTzT@CWYn&NI_W_o>Vv-^^
zN%$}#h;xn|^OZYxQxH7;o#oNh5|npa{p#m(`F&nsDQS^XzIfKXRs%u8iSVjm?1>c^
zh0Cq(n1aYH#Jkm~2|;oNsNeqV`O`b-#7!J%2B%z!Qdo}<PLqn0uG#sR@q?jvp1?5<
zWeKDf{eG%KJVO55tWyu`Ruz7N%DvzDeFW;awQgS|-QTZGCh%K}$NmxWVKwsBo+Dp-
zFGdnbo0}lwV*Mb2<#=ga`)Vc@F2O#-TLTsG@EE9|XBeH~zX;0CfZxS<d}LXL-I@IP
z-AwN4hgLwSEXoTq8HH#UXEFu<=<Fetgw^HsSSlF>!M_J&+9A?RQ824S^#72#SxaY7
z!HwB!Cg2zX!P4fV4flj(=2=O(z%bgV`d>qoWw0|Qesc+<TM(1MU05=#8@d;}wdB~j
zP|nFJ0@3mz|I5y3{(83J2G-Qy{ZDFOnH42LSdt7`k6c2+3_ins4x$RFy*4Fy!7CwF
zVer&0!TvB_t+@Lyh`%{ZDy{R750V{@Ij$Igy-W_)0~7FOD>kGOw6Mj}3%Z<w>em)w
zleNHTW1B+=jD>9!uCbf<e^n?U)q;rBRBCnUHzRR^6p1s8+9{Gaef>GG7-g5eb*u;>
z&Y**osC++ix7A<}iBT89i|=|TO8z>TgcF!@>Ql%6a>Dsm>nd-Hte2;2g7Vl*Rc+SO
zMmR7|ioB#KiMDNB;>a+Jny<J^T;VIQtKO}QljSAei%=RzB~J<tw-zGj_kSp0Nt#1<
zf-S8Mft@|l$cbdhDdwJ;gA_i4l&@^})>aaB;u9Z^0Y`E0SgA-&(#K8@M880f1@o#3
z`0%g>1+-h+t<m~KOKTjW&ip-U!JX%eX5lhLzGW!c0wp_t0*EKYKYMC#L8kJm&FjcF
z0mT1<uXBnKrHQui*tTukwr!rVZQHhO+qP}%jL+D<^FQ2|`*6EcT}gFkcXukOq^kB>
zUn#);Dv1T>gwnP_CUxhZ`SX%Yk5D6`S~~efq{@po8$vl#u<>5VTQ}8bXqs0y(P4ey
zr!<LrNr#X!9<e!9N`0ifJ+wTCnoU8}N)*k^pvEBq^|E>L!X?1Ph`Lew+hvjkrh!hs
zb;T=O@{rSqe}aKL39zpu7uKH*F+d(Iq0|jRCFbHUw@LT!F!PT3t`Wq<(d1@kZf_o%
z(~=W-^MFbf`~;WLOFSEQejEiyuA92Ypes_cbZV;C_{|t4>d4UGZu5L(q@T9I`}w>>
zOUHi1&+v)NkH7-2`Q06k8dj@iX&snzT@Xt;@c-r_xt#rdeLhL^?=#t}Nrr0!KGdWK
z@XoS_DQ6X;DGP8>LRJ-8a^|FkB;l;XGCE@@t-l5&>lq1VT_epvOcq(o!}O8?P!Pg}
zNc~uuDE0Bqig|+`WFTUuoM|XNp6rqlrik#@{(ek%&iXO;Ugkn$cHRb}GEXmJ_y!Bk
zOjQvacU#I+SZH`NwB)9W>d^#0R)ZG!=hYb1s1A)$&`I4P6GsU5>g-kZ>rjaq@k&V!
z!_${9!owk)-<s9++AchYXoH#*UnMi(4KckCMPbzAs&^93(dlGdZQx?Fz7cpo?eMsz
zGsc#Ioa-kcGJ28g8)sbkhggN^{#pJ~gd7HKV?GtpmqI!*VXSld`ox8hXfL4Ge?%r2
zetNTU^JOHgjx4W99JqjqBmaVX6zHU%2wdZT80}MeIHCHT2y8p3uw$8zd-4xcwP%kw
zN@~lZqwuN%0ZH$hdU#1<3V+&1%j`OF4oFL6@Y*{eORWjoD<mIv5Wl-=B~G#+UZBDY
z9V~h)Q6g$MQ<b0)YlZy*_{k+`@Dmh`<i(?mrWKM(S(KVA{h{>5N~^jWHg(t{W>Arx
zUy@+gTxUeKRru&EFu$IPEJgw<esOcm-qf&*Y$R4!sunfC&V3&s$wH@uuJ^A>v2<2=
z65}2WMLFrbvzwjN!mHhnn@cYq|LLDE>uwhojWER1GngnLZd>F~+zmaGo!>Oqp>gE(
zsj~F>iXSlrk-#nKuv2i+XwVep`MKB!7=VkZ>#L<mSCTze@ADR<R<RHHI-Ol!WONXT
z!dyVBIi+cMKToAvJ{+Z>DvY|z%>?1{v{3uF&0f+d?FROT?XRW-ob+pji*#=Rj`RM|
zEt$L2cu>6@QLPG1@g@W4k~%5Wm!gORrT?>#Fq^}<u_Or&bzu&lSW-QLRDM+uGnDMi
zA8a|_EP#)WLRRh8F7qeb(CqNNl{g6!@r}iaaJ;e{w{~>5I7u{O3==WU8-z-qM1MMb
zt9Ucq3`$VGdZ-cI;7iT-g790Bs6-8T3#{@}48k4t*{FQj+_k4>61V!X1k8?>#jltp
z+gQ@XN3FIca}xD<sYKT&mqPFZ)Yz{-HxX=fcImUz`#EsixJm{0y)K`S*cuYHs)759
z_TN+`MSZlr+%JJ6mBaPYi-L<E=~&qV3kXot5{tkUH#q>qdQ9)&d7FumhOvUzmxqXy
zWY%61Nd+nUU&PF`$05LUl=qw~Jno~~TVvv%$x|aYk*n$F=ehUc^G^6r21@GbVwM?7
zVvNa6Xbr3-I}uDquQQJL$5au4*oW?Vwa-IPlaXn<p8<Ke`vPtOcQND>0h47L5%jy{
zIi8hKd6$J3@Gu7O-t7!C5^$GMOwtY71ZlzKyFSa2G9_BKeodZ0$<~r8{B2QkUBn4w
zZiUTXDc&EU{V_ht+0)}TN>>X65(Tr8h_Yt1&B?zlnZ>FX8L=Uhz5i-;AQ-c<%F9F7
zP{bTXY!BG618Q4q?d^G7Ar-_=4#j>9D?p_i8}r}AHAQ_St3`sN#1WCamRT&+2y>Uf
zs&G(sY@G6esZ^h1%P@1@=FJ&P|K>sSQS?+l0FqBM1V0wU@X0W?^rDfz6Zk=j@HYFW
z2B%PVJh8|vT0cS<jE-B+0_6Fh%(Kx?*l5w1Ki7vP1(TQ>yNSL<XhS7@prxj5Za={P
z*sdE=eMWM;phSM6zmZd9w;(VuU9N}cfb6ZPzK_^)Dx%kpOIrieJ1TK%617zWJ5>o>
zvGVL<_ZP$DS8LtJA4@#cnzk4~RQmn7gU0<t-MGw3-93{mejC`mEyY==HF9Hx*ry2%
ztjE?7vKOu`sYHe18I~JdZ{S`%s1v{39HN>=Dp|9jtp+<UTBp4wCUhDO>fSv}i1&~*
z9(ja|!Z*w{q>7C*88J4r)1$iAsD7rd-v*BoBfbnvfrp)bK`QRsr+*ar!MpcTuKl~a
z(L%(_QD<v0Q{@s>m%5f*jH2q4rhZX$^{)mM|0`-;m087?%H)@x>|3h!CBn8s%>y@|
ztVoV+SA_JyBV;WUtPgJb?$$s#p_z%CA`y|qZ|DT+nty?Nb73u(qUIETtaEi@dT1W_
zs%U*F0~Q7mMZ1rm?y?<NEKs$bAuuC}ZWa|kC3b0_@VEFu>$}O%6UTlk2GD*M-eGhy
znK<{5hg_39T(~B~UQ$DEWzb0iLyp<fW*gOJ#?&C65Ju0=)4Sp0?6cS%LfM#YT16hF
zf)pZn%3)GUXOsMu!x#(5f^@cCr!e?bQJXUl)wtcoSegTs+8YXD8x+H)Ay6|^GrbF*
zasnxf;W0JK@2t5LU$D}Py(MiuLC8W{vjun8t8`XZIg#vli*Dn6;bnf6SQ*#lQ==p%
zMlMAUJ{vat;!NFT%K(6{Ocd6!3<e&!q9xR2``^Wm4YglVpUu_t_LV~Dk$eHyE!Xn$
z)fN;A-(Vorvzk{eOW!AyKljQ`4MYQpa{{9sFKK;(VzV&#CRXJIdVGanuCOgXiAjq_
zA!4={xVF^KZKQM+7rh7ISB-KK5<y&mef{HQU5#=I_hHRA@aI{4vE(<n=`?Pq@JYoC
z-sJVR$wskrmtaq;T5wZXYc|?LauQ+S6pc$Z7&sFdV=D4o;+gWAhruAya9~zrdc=8e
z;r5o-I4x;^NFCMmAv~~@y1GF{XSBGSYw#J28D?gpHJx0D@LAho*nKsXeP#H0OrE&&
zETOII3LS#R0^I8NMrVB}xfLFR+ARuwSw^P0xt60EL>Ud7)Wyy?DbE)KGYNdUb<>uE
zPxGRXT!c!(U!n7+Ky8=63lik4L~k=O@&K~J_kT?b+>lg18{g?cRj+}q#ul(xbe_Qr
zd*Wtg<s^<)5#u2ySo;zpd6A%&K)1u4P&#N?Q8VQ8_|f2r7#$|ziitbHL4==2wo<X(
zjn~w3vw*t#el>iQ*&{KxJ7-hqE<jjV&M3qqn@JoTsCpX$ndjiPdzHj>x|7TZwOWd?
zXdRh;(xGUK);aRk4@Ow#F8#6Tz`yA@W+SIB#yl$IKy$~nZ_o(qPcBzXLac}(ekokP
zF9XNnJax@s%1N`BjYgeval!QIm`59YTGt~=ZXe)BZI0+ZJ))IkZpZ}oagj21ZX|j5
zcTfq6rBAx|q&t9tF!^LH6f(!4S$0Yhyk&!3Bj(0ol1o0dET=%dg%k2%2B%CutMH7N
zfvQp-&T+U;-na5+pZhzqR~<JUF1fY~zQQx#>6bA}=+bqT&fp;?Qf+Z*S&<sLUHVAS
zs?rV&U1y<z-R?$B&PS^!J<~Avq&0-}zTAq>Q8t0U6-eiYyl?{U*`><|iG0kMSkyiK
zgcNWXxG!j_G79HypDnc9vHft(1f>-@2G#T*I{EU59k*^R9D&8eTJEK5M{=?>%7L8D
zbVu`!bB1ZVhuDZ$!Y4tFy~J72{ADF8t@piVKl~^KoL?t92d0itm>)A%Y~f|-Qqb9Z
zI}VIrFE2NvTDKSGI4NKW!eGW{5z|t7ZF-T@95_zowxDSdUA^Ux!r!)H<NNIC<Z8q?
zr<ZmpV+E$$3W;?GTCh;7Qno;i3EwtzwEeUUC;J(A)tE}N>MAsK-j;PS_uSmd9iaLz
z%{1Psla>X8;k^|_5%N+yZ<xCmXNWsSh4S@(0EI=kK@GL>Vct#aHp%pj)s4zT-W27Y
z1mn<O4E1k;a&9c3dcf+0+^J)*IYE^hLG<L{+pb1ctyW{02Ugu5tIm2&cB=@kRH}zN
zuJ!P4oF=hNu<u$$TkzupCw*?R=As0PY?W#AlBy4N;5#kp=1+gzWq3<j1dIKWcCbV?
z9ntcZQ4r{GcpF+Vvh?gZyV-NG<SdZ%LO7WTt-1ZrngCQc{_O0mWu%?c#^URc{SDqh
zJuaKPN};dS`r!Mxkf1wI=g$Q^jE%OKWCK^kt#k1fzcz4M3~x1ivB?sg)Wt9}s5uP(
z6}?fLx&2L}Kcjvd^j4{m+E*lRxyi2DO^3iHpwtnJJ!{r5j%eqwlTlFn<DpKZ)<#Oi
z+Z@|Lf2U|ujzPZ&Gf7cT4@VA}7uU_rxm<PKj?yK|Ih)0@wDN$N3f=?KZ;S4ejygd^
zj6Y9Hr<_iHsGV(kzsoX0vrsO4eJTo>)@m=3ea;;S87RaaQt_A|j4WH{Xn(MC{S#*1
zKw;!a^i0&<#ld%L7yZw>I0rLV|G38W5-m;Qvsm|rYLC&x`c6h#!29d1lC?9MZZD=*
zt4~07KQ{VBBJ-b<tY*5larf%l!v2_j9PcY+eWqTKThM^LN|03?-Cua5wMSoUT-?4c
zjMc~90gG0O-*wx^>-(^S^Wz1A&g#bzXf{&Lq_#`?OH8bW9c~_5aG{wqT#6PRdx91F
z!2p%1xP^t6GE}_MB%W<1igV}0wegIX@+77kReGb{Cb_}xGTz)V-HMs*sq#2`|4{Ad
zdh+D(5=$d!L1`qrk}ru%z%UjHq(iKD-)ft1?ks1qNKoV@e9fB`SifFNSbDnJJ@}8I
zqM=K3fGN&2aq^)iw=~OmX{^W8KrePIJsQB1UOhNVmhM*zN`^i``M4kOKxQ^wvsZpt
zdNFTza`B?1GsjzD0NIua$4=FcqNTjTqoN^F1ed5^qS8-0POeaxTiJsA!h*vxKOR{B
zYO^-nCrc;KyG1*YWBCFUFUQy2<G-)-r`yBBe?-L)*IvY(h!N-}lX$C$yZiqh9be<7
zE{m2H?Ehq(Es{;0^Yw9b@nC1;(g$IhH{qNe--RPPa-ozi_i=nUxMKn6EZGw8OP|%+
zbRY)444sXw^ov#<`-2ZfO%=5fxx@H|%k|-hMw6~va_%=p72U+8ZaSBQDE3cTXpx!6
zPCYp*a1}%y?1cqQ?E_HJuHNPcojEh`@WBl}U{{;$*%eKlweL0_TMdN>J4!bK#Zr_d
z-#t3zP&o4O@bYkd_3}lYflWp5abm^9%Juc}#nBZe9UL?K6$G*oL0DxVgv+vXDOiWA
z9x$)QPWR8A1qcR&lb%tpkyGafavV-pU(dJ~E&Bc0HnX)Gx>y5=O7ConSU2ORcID(G
zx`~(Fm`+K=rE4#yYpNRxzW7VQ1ZGEidbP(<((AKS+E_;@UVk1R<+fL{2e6M=TQ5Pm
z{J^X4zqtj!yCeyzBo@R{5S^9<{Hw8Zl+zJa-Kvl+W_tZToA!5y0o~eL2tadRtqt*|
zh*L;@^dI*g(lO4$FqIHmrcO$eeo35v{!b>wik;g_t>XqiMTqKr@XLAVJCL=LZSHq)
z6AL0K&AM<c=N$8x)wbB$5nE?0Df{1O9hNJI*#6AG*JBtB^4*Tu1;EV?ydnK)xZ#sW
zIU?IRWpVi5dD!Ri0AMHWB1n(OPXXV*BCG8IN6*t{{IwQ*H;N(Bq8nwlr}tqOA43Ox
z2>iT>nL4emKj(4k9bUYIC}Yh?T$y&yu{Z=URtb)LRn(xaHcLxJE#H}_NjX($5;SJl
zqq9|N*l$_!#RO7K0sro((1p(SMIcn{4tgwSWD4Y9q#?IZVn&EeMR9SYog-9B;b2E*
z3=88-T<eQu7E_cC5Q??bQd6j=A9o-8glL~>QxY?Q&<ip!)z3)q)qi{_7J^}n%+@ZC
zu5W~tMz|jWnMkEYt8m=KacCfFxAONd(znUfc0j@rdZb4}>HLZhdfd{H&aJo#dllXS
z5TEE7V)a?|aS^;5VYIa^!OVWD)&bU~VfW|XgzxNhkUlAIuN~gvuN()Pz^>OMa@oD7
z?rhw;i;8aK^H}9nq2F?%=RT<1)>dqkeF|wk!~c$zgiL6>8lkTES+wnsyIB34qRCTe
zU8T;FzD{MFNos%8=+&`D7nbve7YcspqV!nhi7ZHZVTcYrYog=~l<hKLc`u>E#}%GQ
zbO(g;i!H<z;&=at)%c)z*K?bN`&x_gMWH2;aKFt{e9Svc8i3V*!-qS1DDa15fI+<l
zFL%cmy<r`-16RZLH?pS=f9MSu@6(T@y9L*~<^L2V;<EBJr@{XKY6*0|AO>ZCTa5F`
zL!H+;YRWyQ1D2hD=Zo@xGJORA%pD*%2RiE}^NdC$|0@CDJhB&6_=4}ZFF~w-k2lwI
zH>`-_RfG^Do1};m6J5Tmg+Laj$dZug%Mo1|COi|mg<tJ@P7tXyvDfuL(aFtzB_`1P
zM6Q%a1CVbwk1LKCirx*0?VclQ^;)zsrr&)5jc_Y|>7mcC(2(7|_gzQvPS0#Ed;ZnP
zj)VR43J-|%O%ZQRO&~~-N@WLFJQVZhBzV8Z%OK-_iQ&Fs2V|t|4T!5uz;6fodvB}8
zKR6WX?_#V~kTXrsHk8CsLGXwTpfRx2G5|exzGD{wuNSGJh;_+crcgijW*m_vDe0~4
z{4fB!z{`AGVOTHb-XGL;mtYV;)d267#6=eYHUwELfDQkstyq7y`EVNuJ7DK6hB`2i
zt^o*NZs*)CM-rDk9nS>;x_$Rec5T3n=OPN$(EBSjf4O%>7Dj=-4XAlAF#X4(at3F)
zyc1Gi=vdzi@da|=$F3THolwZt%nV@f-SCVrcuZH|1IsQIPw#~qFT+$Q4D9qzYd3@$
zOmkpo+qA4p4W*bg2Qt}*-ueitPIc<N>EG~4iYak$;Wz>cNBCn_j4K}FYKJ;;Sg1#K
zL(9?MW|5FvPbB~~0T)WZoD*!N=eMRNcxx!i`3LjEF|_{H0s~k8Z(9+zxJBMOafNH6
zMLV`5YkmL37o>rcdC||zW9B#gi?Jj)vFt%%6@JkoSCM1N5M#xqN`zP$a5mhmSTzaG
z8V2e7*L-dSmkf4YyBkAi0A@c*6%9w8t;&F#bX9<VUCFPCSfS=%Ng!Y)>Hy=nTp?iR
zJ7S+WW6iiDoPi1ax|S;_jrPEl*)Rs|qOaSM;>wofv|P5b<?PlNvVb~tdvI$KyzRI}
z0rO*$ov{HoB@oR2RNm4PmM&mXGWKKIvYJ^2v-kCof*~`W8gw*Xqk9`w`T{IUu07QF
zJ0nfmwE;O|m&}WS_r~^GqZ<KN>ybmh@}qu!RqdO{3<?n2HU{97CtS$S^W=fwe?3dv
zY~_3bkAp=r&)c`JAnf|Px8`iKkUoG3*cvgN27LOpN-g`lW2NJLR;|yug0g5C^)~4K
zuxl0NUszXp{6aP2Y-Y!Eb>T5<6ji$~#TRlCzCSx24i~VH^RKAHffwx}rNn`@Aj@M&
z6k%a}x(H%YGlC2iS=!GskfnDEXkMZ6`WN7r6Id=$_5^ZhfN{B+nXH`xVKzVC7$U#D
z&Hvm!x7h`teBX7S;`V8MlRL_rXB?@Sn(k+ZdJ)e-WjdJG5t;`J>((CNYN;{JpDt_z
zN*u972iBbk<k(Wg);T27gH8y<a(10&dw*&GTJd@4;(S-dWVh59bmKJyT_gz0K0hj)
z$)mu26OOaJ#U6--lfV`*-MWzKQ5y~!5(us=FjE=|XLEW%=pVqd-05M!Wd&74`aZ9!
z7Du@>Hy!Y|WCI>}oeB#6Ww30yqvLMIFc}8RQO$bmUlfp-0K49h8B^(G0tlU*S#@<?
z{)=5;o_Y#^R1h=WvQL@Mh`|F~@yO_?UYyGRTAV2l=Dsg4pAEmN@?4$XfrVlBHK~8L
zVCP%;GJY$5z4k13nkg?9KFZcy2JFzQD_+<7P^QLRA`|V4cP=~}>pN@n1;RJs0zvF{
zW;{z`_2Xu4QF8#}9Iz@Tm`%CmrleEQ4(eA8`@jdY1hG4rdYj)`vMLcJfqUsQXyx4C
zh2lJ;jo-<-^wtCO)pa}1JH_x7jlb+6E&nQrOba`(Td3}~PuVWP=)8PhWzCe#Hh`}#
zA7gYDK_c8J8!|HI^CaSt@!=bTpi}xd5<C^Xp77wDf5tL>clJnfTQ)@TzEr>(+y_&5
zM&H6t>;3Wqi*fL13_PVPfr09f?q1i0tA>sJQnv6Y@@xjbE194V*?SkqPNWfH7|%TR
zDW<1he=cy^sGk!4(JQ#q6uD>hr~G1hOxUZLH=$Ik@jN1<IyZOCVwv5Sb;pOdHqHR{
zRMN^gRG<P9^<*hy^4(J?<d=7mop-&6oMz$f1jtL>QhYvKXm^!OVeFKvelL_cbfKQY
z(w!;zRm2wt;GZwAN5YUU6uY+X-wW4zZI3Hxb2le;$mT@-isf0VLV&NO48)AgqEpT+
zxclb&$7L15b9H!Lp-j4@Hq*O#Wf;VcnEhew&ey};v=t=}vYGb)MfUZf{%n7(jVF~|
z-I3!?5ic*Ia6lv8=npp0^n8BPVB(hVf&<l#FYkJMJ<njFxdPm$uPKdbt6B7Fd3MA@
zq4c<QCBiklsM)z4Y=UX+RR<}2@o55YUmeDS2gPTb+1@-^vK-|-AHEiFGD{{QPyy2#
z!}?lLIBXv0iKSG6X3#&u^IoZLK{O?K_NZhnee7%AncL67xXxmLywnFT*aQwo50_;p
z+}tx9!;*=7VJ1y^jTd3Re}q~w%!<a1LpDfe``p7ja9_sbW>JV$gj-n}FtU<LmXQ(b
z;-!Wpdl`lV-BIqn|H?7rE3>&Tw<JFnAqJK~B8NWL>js@IZX!}_tbq1`YflE+2vJO_
z@-uy4Ivpbz{u&EEtBmlq9Hl*+IQ>8(PA=h(Ae&X1euEgTcsiQ}JuzQf-tgdD%OK#V
z5AzL!6txnPaX?jvULPk&qw?p6?}a{ulmtHx>zENg!YyvScc=J$Rj6lO!(KM>A0_Wy
zdYubRXstZRr;&V^-d^iSJX_hCDs!g*iea9<7s;sGQD0){ty<x<5s%jT$QNNUc|+9z
zVX(Oa=&r&9Rbfd-Tte2FQ?X?w{hh!41)+fz<+HMQ*V+#|ZvcE%L3z^01)%2!2PBOU
zL`LQd^EW^C(`AMNwM3fi2v4!d^lHf}^fh?Yfv+H^AoPf|$6nh$jww4EMdY8ER$^wN
zUXIUv_~K}V$aPrNO%ACCSylx&d>KH5x`m>Q?6EJxZe0OJR;`DvRs;G=P+HY+>!^h$
zy(nYZS!Pprv%^Wpkor~aZ(RHh&bNaT9mN(6!XEG@XkfBm`EKIHhA#J&7xC$-T?*=w
z6MiBbGO;mcAWh<o^ra<8XJVN*jt^BCM5++uz}Heqe~UKk(IRE1n1+Z!ws%sRh*S6*
zOy^1l4nIu-`0b8NfPOvS2$M!As4>5h+c*Ghw|Bulq<X%t084D1W@<jbT9z9gwp+NC
zkVSbO3M{=d?WmD5B$XA)1*}4FO<mDvRg`_N?(@@<Q9FR2G?O_ynmDb_e&Uc{x68G9
z(TT}U-H!k2v|_o|_gHjBKML;yhh3^X<x@29+FL+QB-*lwE%P-)^{?NBBzCyBLDS-|
zl@|Z+I5IE`iNmu8!^^{)Zo*BS@S|JjN`Px;6`QHIZY8a%+*zZU*5U=q8=8~nxvb*k
zv07K-Ze^0p=^wFoKM65YoeLqCZxy*c94tJ*cy!l{_A-n!GW_}r*>I(uI=#Oa^)N!Z
zH#E7@?QN6M4<nt($_I(AUflxECox<dmmM^gS*IvALG703d<^qCoIRD9^T+Kf?#9Fb
z3f73$b4LIh9jk4as65nz_0Yq!OEs5CSDTz~fnFO0riabvrT%$%wH*E7*17zCrbs`s
z^EvAqYPq%>6lUL@81g^^UF$3hTb-ZTR`Mi2vp8F*Tt^nwuzBFM^6FxWs_r9tdGJ@a
z>7~B3BeTc!XGNZ~g_uo5Wq2)8@AotuYc(jwx)lHEG=Pp$MZ1aUBw}e%Ep5Fs+gMM=
zwElu**xdo;$ES1XqQ+@_|K3YAV;U`DAnBui&mO)QOe8Q5PuzF&v5KscXvk>}vb)YB
zZrO9Mb|{5C+QS`2@B%{4%hedHTXU36)<b-&6>4Yhn!&opz{22RUZP-@2e1m2SAAi|
z*K*3Ez{-B^M@@GJRFK7B0AmcV)P|1nV$)-P1mXh}wcKvAqdk5Cn!OyN@VvSTo87Yv
z^Z8dcKEE?`2HKS*WjGCHYD?v=13hZ+-R4sx#IJ$iH3V1`)P@(2_o`=ZVi;{GsP}e^
zBuu}b0@(-T%zwM(#Vl?`|3@B#t*!@D;W569l_iw+kwKKhoWAZ!;p#Nyxt03~*iL@g
zyc-W~eE+WlpSLgk1LWqV;M1@kX<ZAWkhu+P1-WCD*}b`mmpi+&687Chdy3%Szw(Ig
z0(jBK!`<vS+sR7AIUPENF$)=@4ZSA5Wc^c@ps*dQLAe@vFP`Jve`Vn>1>sBSvW_4U
zpHF>JzBaB+c>%U+3Eq|YBfpJb>hW&z?5KG8U<=Qd`d7go1i1L>#_&HBAH}i5p8Q{4
zHO>uAO9`_&c2;j`xgoLS+@OcjRy3D}JOOBGAAj+{=7zr^9!09%UE@{);Tzpu+GbQe
zoSZfib!!QI+}W2g`8aYDa)nnoa%HS_Ns0Q-VZrU*UmPWWh2m#D7-9>9n=w?(V3@}+
zd@BMYg$gCwnJC`Ru@sGMYK_*Nn31Aa^U}fl$o|Z8Fos{%W-HA=IR)~ne7p^wrbxNF
z_V%5YnCJS>@Sj$^-#>u=E9uxic_2<>1OV{I2mF5|9k9QW4jTho3sV!P|I9h<Y?BiN
z<FXhKLT)~xrpC-+VY`Y0j8>%Kdma~sL*g68s*&p}#z+!~zP(Hc;#<pjHGP?HX1t$y
ziGp3X%|XwqpgERT=L3uB3;wu+HxoRPFN5^@lq9vYF33CJ-JDCK7(-HIUw<iSEpKj6
z2UgXC7o?z}2EJ^vNI)Z*A`4+7n04tv7HEa~e=yd8rqu<S5Y4S)^Fxd>=Qa#w{e82l
zgll={k)xKaElArIW^HF{-|M+)kVvFnhG~vAkVv)#L@vRl@bb#Gw)kWJ@COJzD~N%w
zfYn(FpIB%#Lmb*F*LAOKjKM|;ze&Rm6dG!)Y^<FfcIV$97W}CCgK|i|zViH}?`HFP
zFUBGAq9~2}VXW63+z*DUXyU)bolV>tkmEi6!I67a=tz)}uvK+~2YAL6oos9~aN@Rl
z^4>Dfd<u3W_}V3mU2h|empsaI)C>GuFM!7%YJDy0*-e(X$OAq7eQtt#u{rA01&lAq
z|Lv^KN9zyA->y3X`v3Gdh`*hsEU&60EUGUes3NK_svs{c!NkJM(8R#P$i@f^^1tCS
zdmQNyejonNc~wCg7z70X;`jW&2i|Xk#ji1|6TO>>A+3ppF|ECw5$%61w2Vv~boRDp
z0A94gixCQP;;>Ly|HXopln_z+t^NNi5MaO8AwGkt-wM)RLemKV02=AP0=T&2`w0L*
z03iAMmF{}Sy5QNUD=T@=o*TPv2In>vKvE#Esq3tShGPV1)g)A_XKBM2Uo5WG4fztw
z@<CXL+J?ZW#Zuz$&w6{;y<E(DKhs;9X(nktPN%fhT;I7}|FXPpI!?2_t~<(fb3e}c
zo})g<O<*21l*h<8kw7#hAu6-m7^_L%O-67PRkEflkjfmh`yUV`_l4mS?BwdhW7PD_
zQAB6easFbftFNxn(7~!XBKl3qBdUJN8z{xej=QXZ3B48e%VX>}#@<N`67&_CR#2r4
zKIjzcqHGh5ZO{r?FM&GQGmV7^L9OAaC4;e4wLp5C1Rp(LTfo`EO>Dp8lr^7Lu8_v?
zyMB&@Ch&1gouAiMM?EBsO5^a)l0lhif!Z?7JrssxM&xtxQgH|j$j>LCbrytqBHR|#
z5)d}GLcJ#~Ao^Asq->$YufT)qeLY_(?S;BUVMD>f&Wr1PFE9uMu2^bwaI%}JH~DF`
z>T*pDJ{;8_HsKcT$8SM6aX3gtlLatpnUK;@TT+hhYAs{wWnMLVf8Y1MFaD^#`l4uy
z<(c_AIUzUBPTu7LW9419L@tqpI|F5^vD8>=9f;o(YJ_7trw>MMZsI8Rj?TrYuYT-#
zIJjNy5<}|C8@)(^aq#V2akA4J1S+G<4*B|`A!LIy&H+}0ih9UHgrB|)CpX&&a5)&*
z)9lw+CmhEWNOX4$q3b*?*KTgQ$D+sezT*IQGqU~!+iUa=(Ls{0gX-m@%6-rgw#@-<
z!Gbz#L|{sAA$-yznwSWv;dOh<PITQ7=yboIF>~m0klH2Y->bKi9w1TAaTD7>>Er>%
zBOY-vYcM3l7lvX9-}h;u9KT_&ruf9r4Mp#a)@&e--S`+Wjh%APJm{hwuwc)Ti(;@m
zw;L3pb1$}mpE2Ob!TU-C{j5%Y3j1kjH+Q3lT{T=1j{>kqOUz&#G|x)6Y1a;6at92P
z%<l4IG42tY!Z+~tlNH#&3W~xu{~9kvekFumZ|d~Mwa7DH!Epo2Og&1Snt0L4wnX^(
zC$eWgyKCXbziwuHoZg;o1^Nd1i>#w7beN^0t?)moStwr~3<EMA8F-nRl9J@^(H{)R
zggMu#?lYT@v=JYf33&^(@~Ot$-35d&O;FyFpLSFSfqCIl_f=Tj;nEf2ur>2D@p(y=
z>b`eLqr}?iKk)-6;6oEWi4p|j5~*#S+^>$)uGMXRIMCS4^e$Z@5e!+i@u|c+=(Y~s
zqlkP%tS@bid>I_^HECQNKX)QZhFI5AIELmZ&t@+0FPOAM?%7m4fO|T<>Xi)mh{Ip7
z3qbH2puah}%fzDe<W2F-NwF-3jGKv;foh=iZO<dL9}HZnW@&z0R_N9-_CE<LeaOo?
z^&KO1NZM!PxRT2AyIPoP+2dlGoDqh_wt~9c!&%7Tf9kq@ipb6=p2jJPE6GdToO}65
z*8`Q7);Bh3ozT60WfsEnwivzjs$=ZeDsBuxBhk>ei+pPk`P%W}vRY=!hzkwg;9JK~
zln}VXLTCf~`SJ3Ew3r_abrstTAq4HItN;-+Pa}8(h37`QP7ruA?aI1Hc(>{z=nOMJ
zX$1IQO#a&EkXz7Tw=beAwxT+<a<<iOKiPCUV7h_1dwV}qp1YnaYCMXWQ}?Bz@*<@)
zTMC+&qg&R@kX_L{gRb2}wXtoGUF+&@DLuL5^clFwS^?8uU?7gaG--D;gOicT%DEP+
zejI<sSIdppOC#41@goIGx=014kObSdM{*NMN+H(2;_K{W>mN%81&rf1t)lf|9pM;y
z($?D3W90cD#=6h-I~>6RuiWk4xM&NC-)JjqeB%YbHnNp_|Jp`-ymgt#nlR2}-<2#i
z@m7qLc$6M<7V8hPv#yZdAtT5ZBUZI}qp{c-I!`m};H#a?Y3hE05Wj-6MqvZ<uo9jU
zVYuarJ<0-Eygv@tJhZOl-yGdGrUc&NH<xesT>u@__-!aje!mWVZ}U*_(((&pU7!SK
z=yf@_4m$vw&)%uIKItZ(#Azh|G1BP0YFr^51}SA<Z=XMFxZ5B<On+&W{o9kEr}6e4
zndVW8SGywKu&D3jE5GwSBzGqa<38kYv_vj?LEq|hAv@3N=rt52ndom1C`+=4qhdCv
zrTi%0#KABF;1)fL!?kLodzcsuG(0~d`_HNq*i_~amF?lMGrqBX<v{D#GYyw}TCS6Q
zYmb+zNZ+r_Bz22uTC92T53l(MOW~G3S+_Y{Nw`vX8K?7kP8M}912ev|{g;7;7F}}j
z8e%getKRU9I~?3YA-<unVhR22@aK(GTSms&fvwlpc=Kn0?G`JZWcMWHeMB(=GV`!7
zJrRy(J%00~rKYe(hRajt;he_l*!1tXAv2Ycc;-Dte6K8Vz}$6kiB%UIF<^%WIWY<T
z@i}Sawxe>-`ND0=pm~SX=IV!?!|IT~#RUKSy?1z29B$Moo$eD3dFBjYv`~9<@x_d{
zuGkY&B2Oj}JNKwni<$n4_3!<3^s>Cnfi?e*T1rxs!145EEv+XO^8B4-YWrO!t1Nbs
z6I$vXxSleafLwzIF9$M{X!5?UGU$}2sVgzIGZas^fo=Kh6X(X{_F!&4hDS!H_{M?+
z?XC+~FCw49_O#|u1|e^@lOOYNNu^F(y-h~-t%k9bY*+*yiKO|-lk}jy!s0p0&~o{l
zbg0?uy1d(A!u7xhgzqGs_xkKa3&)1YSJS6$@}l=>^mxm)Nv4>-&EwCufK{)s$2OUx
z`T-67uqfg@I)d*al^8@$of4v-*Vkmv4`U#-@U8#_Yi$y<Ze9N*d#K^_^gom2X2FG~
zN`lu+mG4z)b+p}k2LqQJ#C<=Qo9_w&exq>dFYs{wEI3K36KnSsT*Ja;^aG?jRJO7e
zCfE9@``O5glXNE}LsS2(&{7TGthC!SkSg~G8D$2>gmROpQ=mvCMV$D$?vt%SQGPH(
ztdKkTq6a5&_jYw2BsW)a_Vxu|PtQCwq8tX1_QV~cJmQKA@h$IybRapSRX{MWt3J8r
z$TkXsUem-Y$V%JZwK#@&0@xJ5w@U0aw7#Kr)jV5Q$sd|A`?mLP?L#>+rOM}F!M7XN
zS*nc4JK9ft^xTv@Z<Ffr2uYxAezvJBleF9>NTFD?_6Z3eo8zG4_(|0p<@T)8TFUP}
z4ZttP9ydEdzp-SMbH=jaJp4FfM;fO!Ng@6_OeV6Kr`^-zUOahFMoE8^DtFpyE%AiY
zsDx*m2D|x3laj(={0v?%lY>DGvQ_CD2u!uK$LB}IRrXkHL)j+HKcjZ=m<+6cvjaM=
z3H81mx`uU2JfJiYM<GCCB7%R{;HnQlH9F4_yZca#VR6q}yh$O2u&R2*+pZlHUZ2^*
z%=Wr_U#~R$qsF+)j6E7l%R2ADJ*_=h5pDA;$G?ahvrSP&<U^M(2-0jz_(7&BH-Ucm
z4e6H)owJ(3`Cb?4FN8nzw{%resBsit8$-R8)%OW`I@ouH8~TGh-k^aKlI--<r64JG
z_;?use(o1M<jJ*1swnB>bT8L{D3irh+dXF4Kk%YVfJ}GaF3+O9vl--Y_glZAh}<z|
zcQ-gXNR&3)ulbgg$F@XFyOgAV$V&Y)S};AOGDHzv)kBE#R>6s;aw%|{n>x=g>3Hqi
z;x5t{SE*_4wc7PT8<b*=)4Oa5EW;^oc)O}hPu5s#3a)QGB*5I=y`LqFue{+B67j4^
zL{9@CFqrO_!H!?(zFJ?`UU!?Jo4O`GeRNhC&*7#-AsTuCVB$j`9b%AZayfbH;?nh~
zF$#zn#E(;##fhS7^>pt=$2_KS<8Al}m)?<3dZArH=3s!wif9ql)RI#T{a%}~*^}$e
zYUMXSI(_Vm+ffX3&zs*hS@?C&hb%W$QB`a&Q4iszQSe_n<788UJvgA{!)g;{ZY@Iy
zHyb0ksU#YR)XlK&B^H78?g@GwTF0Z9^?1qbOf0P22eL?E^KvsYDq>~#@j#RG1%}zX
z?pf(6_!a;Vp4WjA4Z~;b2Nc=ScU-0bcBK5tN6q49T_y4&0^=teUoLyC0F)v+d6?<7
zb+>5|8jwmJyx`@hxw)1m_2D61@POW{orMT5jqP}sS#h(%IVc2+h>l)>!zjQI+t`D8
zjRus(HC(1BP`d^8>ISy?1_&XCGH@jn^E~U>Ffu%jGZ#yA4@#zt_FIILYJ#>~LGhwE
z5?J-)PFog&QU=Cp)oUpuE;WC06)`QEz(~GWhp6~~!j_HA$qP-*&uJ&yo~kr=ZVMU^
z!p6I34;2`KPPP}+YcUZZOy*PncIJP+=CP^hu=A}n;5USs3A;5kK1!1#7;8y4PQs7N
z*Z1`_b{^;B1kuF>fa-|@dasu?nqD9=jZa6xtfO9L4Mu7D-_*_&9W{c(-EF28Zx(0$
zk(HVM{AXjxoO^^*Nv~_Ys3y!&SVnHcg|<H4a|ulymA9ek<0VOg)M4PW!PGwbBa2jK
zLmpX@_3Q>g7KjM#u?P^x(or?4%LD+%jqOz-z4Z<YyU~g?57>MYFOP`t;cJ$%_XmBa
z*LQ9FF`@%*3VVI66!Fldtx^%=2vnZueF0K>xDIw=N^eu$>mjr>zqW-sq~<^zp>%h>
zbPfwI(HkD9EYem*J0b$Gl!TLa0`1OwGc29PH?t*9Tqx*MP0{8`Je2UdbRbInrOR8U
z(5FK7ko;F+nyseWy>E0bzV$HB(+qW<{J1xH!Z}r?4NpPrG&XwgLJRd1XC4@Jr}$_@
zOY&~v1YY`hxjiI^wBHyYSw{5iL$L9wi3fzj_|7UyI}mogvxAam^Hx&yU@H;-N?x#H
zYI$(Nk9uf?XB<}!C4%;Oy><AYx1+DWf;#)s0+RbEp6tW8an*I^pY0YdHkqA#m~Zq7
zC~pSlzc`l%c!ewpKRQuYBc)KrN%V8+*Q(}Y)*Tk4O~XTG$5!da2Ov7Wi`@Zs=buml
zuk;G>#!B#gFSS?m%DS%0|6*NBV;N0B&uj;b0nLR8pK~59{g9M{JI3h`_(wu;IgufT
zbY2*JqC5kg;x0_zP*CcW%`HX-`||JG2O<?%5^WYlG&oMr0(glxYcR2N-j24{<>BEd
z9<#r+mT+Bvu2L;!Fc@H=sN`h+8j%bq-%iF3EpV`ji+7+XhQI)x82+JoI7N%7VqO+E
zhe^%CbIzW=y^8C#ecTsjb`aq+<`ZI*z;H)TtSXhJHgY75Zg=0o{nJwbUWELg?WUGW
zgtE%807Fe~18nbdNM~kvYoNY=setj@4rG!JXf{E^$UHtS+81B+#ywp*fW!Fxopw5|
zL_E&)Wa}cdhv_@u1_;tUubsAk3wZn35cD49ES9o=RM^z9F&&MB%^5#oN{Y=eeVlPl
zIBP_Xp38io)6@St_WSXs^fGSt)y^Ese3M$aJBsHkk$jV_KTISH4My!8ik(X7M*RCs
z!pc0{7FGz6nI!0q=KX2VUQ3zvXe+K5r9i}g>uqeLB%&uxm?bEFVk@G@iO(&I+nEJO
zQvL@j;7%t!w#-b3?DeB9M!xd)l@(SJE!8Ns=A1G#x9O(Bub5ytV`Zwdd3XzHWCb}N
z<~t@{k|KIz&gotq<gyeSI~soA_pqV6(xy5=<z&nu2W)o`9(&Z|03jI{=*E0GO|zzf
zJMC&Vzs#~mk!&w%7!bW(P1~ph2|Q!T?9Scb7sx@j;6Y0jS)4h;xSYeZV2Le3e^gTX
z{>K~^WfGR#XTXNGQA=wZ%MxO|G4rO8oMdZcdVp?gJiIVke0h<ijimHUw0wrk-MK=F
zEYS+Qj8eVUY|ca!t{?6dvelE;5KvPvM#72-b}L_@E%dkuVCe%SZ4`jKm{T;FihF?C
z0qCtU1_OuXm?$%^?=#`X2tM~LQc+IIIXd*}Ly2}K69zweTZG~K!<eD)nhr8lUtUU9
zm+NwBN5!%Py5!QoP-k&T+$1j0;KVpRiym+&niS0J*KZUg&l21yAp60`>J{Yk3wgA{
z!Eakd@#%u`tJgo7iXjqz5Soz{$IPsci}U3`vr0OX6)c^VgLj6yyv!2Eq+Z>Vx0nJd
zn|R8NJxrF=$#{cyjT>awCK-~ONZCljJMcDyJtUc&eH9c>v%U=sEHzzS_wS~Q3HHLs
zsKt4$-}FVAGb<3ST|gD*icB(mFk6YErc+Mp-ftR91X{FA{;K%$+`mF5^}ird393TP
zfkqHzfG*pyXeI>T9g<6c&uw7hhf^%~gxEgj)Ie?@tE^(F*fv{tUw!h}oZEyEWmXPh
zU>OQG<e66fq_ve^e}cNtB3nq?#3SaOtII7dIxTG`g1USP_Wu0r3cLeXISM!tQ3i72
zeLN2PW;V{edn;qVLTOYQ3?`9jdH@a}A)9;uCW7b50lJJjZWEb+XbWrv;vUOPL~tQ3
z3is-BgV05-<jHqSpIYhc*Sjd^{A^RJq4kVK?$2J??x}pQ_~!8t7vJm0FNGT9nCmWX
z*MpNAlX&@o_b`|GZ`YpOj`m(yx<k74PZ+sJ4i6ETukKNzHZ%7#)Y*jl&O|QYRq)9>
zX^<vNV6l$!auSkbLY>j5S>^Sf3d3)-l??oJ_1VP5VRjPJU2iLO{&?kaVP9|FP_Sl&
zK(a*P<fH@DFkfeJ*vBjCxOwA$2eo*LG8cUz)byxHV(T9XRqqQ{=MXN$RKbL<VuBVP
zeZV$yp-SLNLPai=?eq^;1gMGT_}#QxD%ay!e)8LH>q8{{<0-CP6QOp&@MC$YCL$+s
z+_o6i{+S;%KwL{2HVp{yw1^qkOb^n<NX*_Jgd|9LmM?;56+CBQ9kOL4{T44J&6R^0
zZ!9~PLp8smpM7h68Je-%QE343{Rp$T@a)b<?6x4n&{nNX;fL&FvgF1|BZ2fXz_LZf
zI9oL}lH{YOXH-s4q$mN37eND?7r`21C2Oxi6^oz0+xd==oE4CMSU(Fj$H6ZSA{eW;
z*3J0=RKtjF)z(?RMUms%(kLNYpee2tra#Mb_ct1az^Ss-t~7wBFbfDUhutKFdtO%p
ziJ~e}>pL{n^mV>8R92{cd+F`OQ;zS<+SbGrqLahdq%k8BBH19QfB*TK&fPR5hG2QP
zj=VtAR~691fn8yu<D}HWv~blVH}m*t8f+*eTlY^;1Xyy1N4X3Lr+;ZD=~7S6Ja{5%
zTp20!5toOx+(``ucmRzYD{Xf~JWH5$1{t{syCMo!tsmyVnr`tQxizX5I0G7`6aevW
zSvo>{)ls8ZU8RyG@a3JFh;dInqz32^mq-R7nYq=XR4Iaojs3Y;TYk&9+zJZigt!dt
z+v6ajyj@05ZL770876%l9{>F5?6Bl!d585(kRZ0Ps3ZW;NBu>Mf@m2plN)!2M30Uo
zWWY~a2KuLj*)z%+_xovEpcg<UnY99>f)8?Hp<|czt%A&E(boN|G!P0#EOha0lS>Wi
zKR}NM2~{lHO3EK<^E%e}BlxJsne^8h8^$3E5@k0QL7=q~m4u~Vvb50GLr<c_7vl`R
zHt1L$$*qBa9?xcV1zfG409lzZboMA=So8voa-T*y&b6#^g$5>{bp(82ln(GES4q|J
zBn-!9I%WYO$P2?2-)5Xa$)jz#Ej0^sPewa#_-6E+bU2d#OxHGg&Kfb8E)IaEb)f=v
z`-cti14G(hG8wRF-AD_N>u_K|1_lGQh$6d+q8Su7!AvM|2pqDqKHgsrenKwl>Y}29
zW~SwB@zAKaZxye7?cOZzcF1<d@<`|e)!6kA;iq&y?0Gv?i#aVgL3d%B_z%2U?^1z{
zeH13bpK-`~8KO$|TkpmhpsI@mkKP&^$x;ELRN82iy%PbF+m&ao)DxTTxh)K!pv?r(
z9eSGld+;~%bel;8VmRhA@p9%Sh_*-^{&|}jM&{m(R@*ESj%NdGYEXyhk`89>g?f7=
z4WS|P*-Rk%dqJc;h|B_e&?9-31O<2r7KTk|Yk(CRBP%?CaR3n__?6%RMEB6HnlWO9
zzwxYSoxoKyUvi2A)t|z&%9=6*AjpI;c<X43fLa5A&V@{$3dkHJ-NQ1W*ln!i&Kgo@
z6h_MkqR8``5r=2|^7v^JTzpntnCE(C6ooQIcTg8&dK`;Tnqy_I2BHDta~wCnF8`yd
zK?>_gj|QkMjpjij0RK!P%uGFyG{^%f)|8SXY)mop3d6E_*jaiyYNwXX)Y1(t+}{0%
z9ola_t55dgN(95)%=bc<RULCyd%&_<`*Io0%Y!dXCBYfDK?k5gRRU0(B>i#sz~|JM
zf73J7%q3No?Ilr|fxVS>w4#f2NT)O(!<Nmifrc~~HUL^U=fv(n;im)z0Kog>6#A+-
zRR*C(&m@G2B=TS|&D*2c&d<aCzCgMVb^r?E&d}@%Omd03J8o8J>Y2)Z2Hl@9Q3#vR
zm~m!8fF|^(`b_3QGqoU;4c$#+XQ!SchCmlSCC0=_e6&tNA7_Ey@Ez3@(Z)*GlL@^^
zm>3E$z+%*Uc%;-RzSb{_yIru>d#2=rbod}<Xd>4=fD03*Xb&C2k%=Gx0SGJcmpP-q
zCR8LxDiTFYH|$xW2K&;Cmo<#v+8!idMXlX1WaAbOL8;q@P7yJUD6}qg;;GLrLwtv0
z`CBz63MQIw%O_PpP8vlMH5`3(c?Xy@CuTe|_X~6iB&zcKRNQT-rw0(HwnE39vlDMn
z>BJB!zHz6bf%g`@0jPv*?IC^7yI<mK{j;&gv_4R!hK4~I1wU@^)y$}qO6qP8wMOq!
z7CdIME~F%d5vUGjdPNm|!rEIX6vP}3m-yTMGBV+DnlAXSU~`w3$tN=C6c6;c1*!<<
zag8c)|4b)#DXC&>z#|}UT4^xsMBEeDmaPaNGkz3c{CsPIF7RNXKD-Fbvu676g<iWV
z(}8)t%09N7CY2V+LTj8=X{(+KosXaK^q)KPfRVEJr=d!q52CI3CHjmmgWR_{2y#x>
zir@EKs+2Oi&LIe6fT*EZn`~#S+6vvtJO+SZK~@EGC^G0K!u`sl6H|{?A>d_GC*Lh$
zq0LJ}Hdr%bfQF%AcpC{tX&nzUquK7iqtbQFgY$VgZ(pVB5zWdUS_D6ajhl>AKCb1-
z({W2wp-z2f;5E&STwi-qcvIRV;jOFh)p}Rrj!^(m$mg7NHN+`R9chl?<4NQs+_8)d
z6w6IC_Tb|-)*&ch@<q>L_!>EhKoJoteqW*D&tv|$NsKY5HGFYnI8P79zA`22MIjPr
zWAVCCqv#xS?Jp>DZ_g>W<5F87e(EW1*hp?5kC-_b?XzGqQO&(s01Y1(Si(0S8+f*L
z${x6eQQ=_xxO?JKH5^-LFEmPxddT{7piBY)^s~_?kp%8Of`#w5!lH-W;g#0D4ik6N
zI7E)qQ!?Wo2F{n}Q?lb;2DXW3mqyw2C_38GYsvhS&>mQ@x>U<u%Sw%B#<Fa(cI#AR
z1EI8NDt|?-yW$}47>)TtwgJrJLiV^TKg8LisN2K?LlqG^5cFk27mrEQswg+C(<yu{
zn(XY4K1#N`RtS%c7`vt`-18GPBnOfW3Gx1ow8e_nbrOf6QO_T?@IxrWH=b<-zHL)X
zu%LC2Z6rMaMSd)C>D<jT7buL@PkgcvUy71yE)31j$JWIStIUl{;B6-r-)DfT_X_pD
zp;qcI81Ci{MtV9v9F89)Rgo<W@2=vb<j1mEWoGV{3JMHE<w6pt24Ul*X<@JDXG<u+
z-nu)D`^&x)r^GtEdoqRPv6;_>a{w@+iJ?KYLk9hvZq9`{r4=Jghq{Q52@1#ny`Z#<
z7!Du&w|SU{my!67)t!~8<HDxl^7Wm^`|fe(xTeXkneAgD4(|eF_<Om$E4Kc^1BJK<
z$00OHC2Y-yi!>J<ir$U<^#7{pZPbSQlt&ZP&|-S3o>RF5h82p36Y#(lDGq}=lX$MX
zPe=_>-eV#5Mo}CvI6Fxfcq)Yx%xt%`1UZvS@pMGJ_&^=8b}B6t7VFO7g3EgAEW?U&
z0D&NEgTvoxJf&E^<J(2v5{mLZMf;4R+xY57zN%b%L5>!uKyVP_Ky!2d<nwX+KEB90
z*p&%Z_+5FbYkr}mvF8t_b)0SvR0MUa-Jz_KXkp=g{A@nK20S0CfT!;V;q<|rzy@n!
ziE{#iUTq}}JFrhr$Q!%DBggNBbqHke--Dxwc&25m$o#W~TPxL0YL(4UHi-Jl;u6jF
z8FM>+GUclIdeZQ9j68A-9w>?py31|O$N#LWCv_Is`~-yg)5M{`9kwNxS-23EDPkPb
z^zaEP+zqz~D#PoyskG3%hu(>n`M{>6qY)eWKYhJ(bfwF-J{-G)j%{{q+vwO%R&3k0
z&5mt59otFAw(aDX{hjaLv(Fy)-nqsa<NfEE_0}3yW7VAVnNJk~(a)sD%8*m_=yY}E
zd0#k{KQMZ{JJRb=mtlT;9lS3{$5{9%Mc@p|brxiiKG<~3Tmgo&eJ@)t;mxBqfwrIK
z1V@(}l;A7gw||SER45|0b+M_Wrb7@u_ywfgnC#cr^GtR$JfFyK$@JJ1C^AOlv#w!A
z<)8scG(j}s7k!{l86``PB-A84kBZ=<tG!GEx&_;)jFv2j4^`7*Qo370+mrLrA84s)
zB<DzAvm*C!+;y;(#Gb7@<1HzxyAS$pW`@|LUiQE``+gzYhtW>HSo9GU5ZUj<f<6sG
zPn(f%Wh<Rxg?3u!MY9b`8_O9w>0(v-4!3f{y5gaZDD#Tk5pe+~(PCvEKZk|@w$@d8
zvpMiFO`W+5teRmk45G#Ddz^=Wi&DuOSAnuP@}^v`ipq-~v(1{r7B^+Deh6BONe$fr
z1`6Noc&$A1S{MbXjqQL4I^Xaj*ir|GL$e(A1(=JX^8Tv)I2rv#sjZ{X<DZ(rn&?wk
zOlmJ#U(q22pX7>*q^@`TCs<DSM`UP>@B*DP8>DQv`9jyy#6x-Wr>WR+SPR|<QQJJK
z;jb^^0O4O;0Jc!0OY%~IW&9GEx5-b`MLebSCMk)SzU!eDl+t8nbON%TWewZwHGDjb
zED3>pJGYOP(h5K^9Wyo>w-RxT3fNo|7=$PbY%DJcL%wrZ;%N6~g)RC<YpH$4a@YNX
zL(FL1ejCm0v9ax<=1>^gAKo~qai=uFP0}w?JIdO(&$sXA$uOdO--p^r>?($+6tp{9
zcpfcFO+EEx&z+3E)N7M#>Qb0x7<X}hlI7My+4cMOSb}5RR1qyZU#~3;j3+6y2~Gpb
zozN^l=F~xC8-x517|3^ccsI2+SBzl1Qk*|!SZGEOQ=AOLwbOwwqyV$r`C<~l3k>90
zvHR<{-ez-)u6Do|c+sA6i!BgAq{#rT%BX48U=ETEA!75USJqmb>T5@U!e^jd*>{L?
zebA~DFFUV*&$d-Im5y5piKtSN<;fb_^jRN`cx6{KSb9I{b2xH`D2ZNfnNZ%=osaW{
z*S6nc&CxkF=9(Er#q9-OHIDdXHUmVE3IC8nLDg*iSmdAM*WR5K4U|<zTC8jko|nn2
z-W;qmAMl|U=x&6_3O~|d#A<Y0mQdpxyc%RKePz01FYZ8*bsWxDW>vdN&5WW?Poo9!
z@iKT|(4D&>py$v$4KkDRo1h4S&~vid+m3=R+}R5bZBmC+B7X>b2S{PZtKFmwyZkH$
z3B)I~O~F^kgz8qGci&>@f0~E4zE)S3>YHWUES7LS&VtKm05#kRC#>RIhCj;3&oWq_
zFx^M&<!TbiIo&S%crDZT)NZz+)_u!?$@!)632{KF6`#|B7+r3dcMS=l;q02UCHCQ?
zE$?tt^r`aFww~^O<~=j>ej(EU<HPLY#(bVewS=gEH^}Su13(JPHxL=-0mGOn=T7!b
z#x{%4K28EDY3i3Dia%$EJC(AD@zF2|zZPt?14@cqH1Tz?Jx3k2P>m1M>uTq?TVyS8
zwLP8mct#EY8NYw$IF5DwULroFq8RGg2Qx)}!fX|_-LrE@;2=hPEIZaz7dXh8zyjJu
z#_YE^Q~@0E72spvLNYt_8=;+>REwp!^Tr5Ala{91NEMv0y&M+lw-ieE>GtG5l5IF;
zk*upEzc|NelMD(|^n+49>T3jGGb3S97#we=|5U)noxO0I;&;~9ik;xBl^TcjLl#<`
zz`V!p9@tQD6<nasAx=q;cXH3s@&tI()P~PY=E`%e*la~xTEmsQXmzz6nZ4Dkk_y1F
zUous5v+{b7U6^}gg<F-CW+>!E=BqsQ`E(g;AM^0Y&=(!yuPwIn3>k4?iN*I;INh>*
z!|myv0SrW`lYcT!d@)TPy=IVo`9dyrQxiR8g0(gDM3k7y6Bn)vL~!%#o)?RHI+7YI
zc@}NL!+;kTUWvQMuhBeQy~$9MW-VtKMxsGSiU&?bXcUPa_DaPm%RQ<a%qFJ%hSw*M
zetc>neo8#aavO(M<9ksywNn*Lc6&I8NH;h4pWTjZ;;G@qK65c3r3F24f|Ss745EDL
zQS1l~qm%E){h}ZfeJf=cCEl&4o3t07nsKr&>gPRXkQa+PNq7!<w2k%|2ro}X`gE^J
z(p2!8Pgk5Z7wu_L>}f+al}w?9jvWi3Lha^c8aowHx^8aI5Mo&Wg?_sCa^-;*`o7AD
zJ1YcL`WU}3A2?gRtSNpfwl{+=RjIDp-C}Pz?#fI(eEDM-hkn}73!%vmgvN9ZEZHe4
z=>^K}q?u6l_nQ>&M&K&FciR-GA=40GmF6>Icvq3%5#<E1`qK%{Nv>+lJYW>lVF?Yp
zEFG&JY#Q>dp{!M3p)MZ`?KdWhwAtVpRwG)xcy0#slU77o=JS}6$;_+KH52wDsfxeM
zem`@@UGNZ*bODP^@>4qV0$B+a3*mE9tA$iUMo%PnFs3i(5X&Lg)bK;mZg6#en0HZX
zu1w%`vVR1MR*8Yv;GJVLJ14o<s;bewv3Ut*uTXUt7v;=FhlSGM0@RTEcO&(B({A$7
zw3)(&UDu4Gkj3u3XYEE8R7mkC<_CHPpl^2OWv><jdtyD~Tx(Y)+C3Nxu(lZxQ<|}s
zoIEm0vb-#PxZ({OO*WQS*fPrW!9hCi9+8Ui7kCL?4|i}&AmZZ|wqVZbBlMg=(zZa_
z_QwfH3!BVf#&nd{fU-Z<#;}L9_(=!6Gz;(XGV&(Q(gpMZvfAmUY@Yu0=|<1Q?7Daz
z##YCN#xFc;R_NJ`-gVPzT$?mEd-AB1%YpY#YnTtF!3ehbHyKR}&02R$mCEDUDvEIY
zzU$n~q)wi7x1Vx$CtysI5f@Me&ugfSm={Yih_fA6bK#4hZ_Q;RN^UC~2EhzN4~IUA
zmpLm_MxE3%`aG+nrIaNDmOmF=Kvc+i`#)T`h!<fmbn0I{m~I&+fS8{;kkpC2;|xCk
zjFh_>Pt|MNwO@pPX;c#>ZScF!Idto)J_MzO4Yi+V5zmsNkt|mWs=XPpFG&?_$zwI8
z?P{yG^fWf11S%jXUREDkQD|B_<Jsv0f$Z!b_eHyi`O|4C)8_0$%nHdA<bU-gvLX78
z8lPwg?@;^Aw!AgT?0akhIM-nEowf@)K2Upy=@21&@cQ2vh8d(5t2(1jOo|daF3><E
zUl!(r_AP2i2QAMyP^@<cfjE)biMLfVGiP<DYMI7<;jW&(_+?*9_2h5)SCbO?h(um>
z8fbrPRMp*|o@yAf24eWx7zD2}E*oMqaSXU|Q`^j)#nXfP!DE7<S3YfoixOd&{UG_|
zt;*>>S-Cf|YbPSF`ugQJ*cmP6g{vEYE*6iCFIJ+0=-UXx;_(1-1fi~;{kZc6*el^6
zsTPRJ^^_yll<V^-CAty0aR^kNdsCNT9G1l<ZanHL4BG{nfd#qLCJSK1`HGdZB$=Bd
zAnDQ99RRm{j4)SGJluwpV}uuZS$VdeB(L2Lr$XI9{|vRwFfP#Pp5_>7S)tTL3p{yl
z=%xI$I^=#vByGlNz>!cbqy`Od<Tr`Eq0!Rd5B{Z5W?x&Gr>AQkD@;zNKUY<ttKrBJ
z40z(H!qcpn(wPue*e+c10OY!G7XP~o$xCis&Xa|Zy>FVDeTVDarCQ~u$Wz6t7`{Lq
z)=C<a4PZkK6yl!2I;OvtAh^IpS1|ogLgTIr&$ZWmMZkEDE?0P?7uK6{hLE>w?+Tfi
z!`{D$QT7&wSK+TsLv(8$#Bk%mx!GiOMQsZ%O5qNeD8%8AIFPlaW`o8Rx;#<K>yImV
zQ3yy4yJDNo2rnM1uNAv#X6Q0|1oDGp`sKU#GWT5^k5=U?HbqlHjXcy5H#67ECPecm
z!0h~@gL4G4n&KSa-%pBzo3sLclZiZ!WfD#O&{}SC#n5QaQmB^jjVAWi+Fs?Dwa|sA
zOnZYQzRJ=Y^syy@n$IvaAEmaEl@or;+wW@&wOvjsfAIPJ)kdG-W5XLF0`f-hcl$(2
zUezuDHR2;A8k6x8TFhMYNTy(LrMc^5<SfdH!k<XfC!@Xg?8BGu`w~e4aTmBFgkJ9q
zXp9u{-m2a_2l$JhDOn4N3gEHv(bO#AsSw=vEUP+Q<YRkG^~~qdw$Ck<v<G2stX`st
zYsgqPp2V)XO<13Tu%P)IA_Tj2J*s$LYe(uxsBpn=IA2$(x#LPypC^HB>MS!F1N6xE
z)7#X2aS!my!awR3%7`UuP|HSRZj3ZI+m#QV5Q?BFWapsfW>QY~)GxGJ{!nv=S<Nbz
z349l}#?D;%Nf6^?T&CQC7QO>Ck>*eL3g;V%u_VHSgr_qR{*wE~ZP2Kj)7%8$GEA|v
zT0Fe+cnxjnkcW=u(qGN-o3=aGc;0BLA41Ky%0e>8*OA7vd#OVpq>-|lIO<%graD6o
zTsmAk#NdZKTc89Deg)qqnSae15c>@dFX8x|>CTBqK#FQ1w5rFf^ukguXsJSSFMy+5
zszgnxI{R21qjidrKV(E4A$p7xNxj=-%VusZo?m6)0VG~*MXS8h9!NA#r&<h-d<JF@
z-}|ZAs}WzB1<Yf7QlC((W91D4BiE~n4PHh@qCTuoj_#6qP05+4K!9%^gx|H3Al{^E
zsglepaIq}F7rL~8+6Za)(V#nzn$7~gJBGCDd~yO6GSMIcz1BTH2OkyGQ4olai_dQF
z`Zyb89+j7MhA1n{iQV@>tFG)AovLYJXz4E08FHGCet9Op<bC6yBlld)!Cb^*CXr2S
z-iRXheIZ4eCL?D>TWaUM#t3OB0m*wD&K3x7<4wf-22IzN{^ABZ%Md+SP!g`!?gwa~
zEC_OoJkiECF0P9-rBeQeqD-edxbFeeEVh7@-cjq`bJ7--B%48td)pBe!;#AkjrBHI
zksoYPvJICVw#s%ksG*_cULI$s<b6Qv<MZws$!sjEWMtCg;y1<`C<xZ0wzmHK_pqe>
zP^K(VNPS{PyT?N1EvU-Uo|-2bUiaa%Ed?cUJ5Vooyc@(x2-m+qL3OReaLrkK55Cyc
zKoTN9g{uVh{J$9CpPzD4kWeG8&5}VhKwo_9|BKL#_63y@Q4*k$_$f+fXyah?bw$I!
zsQrnv?UQBFC=gp4<uz=0K#&7_KiG-=2`C^lvXCIa^!fQAJ74&WKkd-Hqb2}#H&uHh
z8AgJcq$THrc;+h=zsm_((!N1xs^u+Qf#plBD6!$l-Z&E&9sd|cH(LO#w_2(SsqU68
z34uCay~KPPs|Ycr?SE9+LYWrF21L%tCIObt(Wf3vu3WaWc$iN_*F?RCt!O)8D&@1~
z#Z*V9G!Rwv1O0xT#UNdR(!4(_vr_86C(&NV=j)d27?|NV)z3=gE;rsfrnzs2Oacbf
z0u&cdAMAJ!#{xFC)w7be&|tO{xUY{6D5NA6s>YgW%WOkzAFa$xw%isQ8I0_|MXV?u
z!J%;bFV3-h)<hP>%~#1Sh;@ofAJ``wtU#{1F8a40P46*FwsdLy(INQ!{nExjk!i4j
zTD8W&5Gwc3gjpYBmLFzyC$Nfb>Q%+6{iQxgoPcTK(krAHfO=oz8tMsa`dg4ryeO8f
z^6e9j+)Z=48gL-JWRfg<gyX8ycr12{gsw<w?)5AriZf!cM-k@RHFpHi0jJWJv~dIG
zb+P((T#6w9gkK`n*F4?`A5HNY_tg0&)<h%!Dv2IkwD^m+cHKCit>`k9N@Yf##iku$
z-F+?%>i~T_4z-Dd2Adii$HO4?9jm;`mE3JQDVpkK&ZpBzK4_IvpqOEF$4*;hcL^Xp
zGbRx=S6z})iKtfWOBKc#17(9801XHE=jJOQbz>Gh&g#?!4^n=<P1nD8*C0AKJ0{{u
zl*;lhNHrww=6!>M_yqs2^_Xa6G9dlcs{r_FIr!fj4F2j@_|Ns|U}iF}?7^OBhM(;c
zJxn-wtVkB5kDBc=IG)<iNot84r?|M78JcQ`5igV$Cje={b;O@KTKawDS1d^$7A|fx
zO<X0~GNOd%62PT<{r%zP<F)GYWutrJ^<{m^<Ne~W^WybF|NORZ24-524+l<|U6J6o
z>0W*;;`cC(@K{huH8<qidRGl-e-s9&SSUK+8?{7qtOzl8x8Gxa(Qp)7*Kpoiwx$${
zQ-1iElQ94o|7Y$$IH{vWQdj+(Mb2<+JdfhM<moiTM{W?1*Zyt-?%8X@sd}vFI>3%b
zkaDgQ;=H<gqsHmMpFdfRg0F!Eq@as{VD*5zxHTIS#eD+#)$VlHW1!&B9_OMoGHcRm
zFcbQ=Z}Y}~qw(nv#=!Zj`lEL1W^fmjq7BDH?bKQM<kvjw^9O3(548u;LnT6$`U4Ra
zfG7k8BC<)o!_G0%X(olsL#~M0bggpUlMR;nVQg;VEKR`}={T)F$UMi_WUFL-$VT5%
z${Mn@kd}Y4$5eKDSO;YlZiYA%uZ;e{5}gra#p)2lx>zPs^{|rCao?1d@cm_b$@6)I
z?oq*{)lHYFI>CYVmMj8q5zRZ*<Z2c}prx{Tj>31d=W*P^-flwzxDz}x{8)zw7TBe1
z^%K=PY$<u%iKg&g6!f5xFKjXqQ%P4aPO%?W{w2FmKjM#OVWHr=D!!As*Uxz0=B;Bk
z93Rh-LfLwlT@FVt(~xU{E(bZJ9o|=qCN-hO^I+lCDBaGhzlFv;PjV5%_lnv#(CQcs
z!rQhg?olnv-|C(8Swq31aiDorcPnt(bxDMIrk2iWWgZ|Tf%I8qUZiT?-<(jtB&qhp
zDPF?+-3?qg3$x0c!Kr}O%k&QHI9$W99X^;Hf-j$+V*;{$4i97LcNE=-w|9NvXtB-0
z;e>qBNs(3J9X>;-iMCC#EZJv#aIHB9adP_-I!f-lrGu!)fZqy7NWQ4u;Be6!YafEW
zvlmy+E{-$Hl<o@FoSk-it|jZUr-@|n<*&iPgB+>ZrZcOS1_tF#>C8lfKWl#&XAJBu
zj%+PmB+B~JXq=cf>Gasp7p06NvlmozBD49UX)fF9E!Bn$6PmeLto>BilN_8zN8UT_
z%*Spos$(gjfF*?GI1vRX`H>=SW(V>afWQS{`PGA!2uy*aL<tG0rxW#sFjc@{)LIwR
zpaOb-$?1+4lt(TKms_lOYINncyu79<Vyzd&A8e}~AmsC_QD>ay2R-wrW)yfAepFWH
zTKb|}D5yJY<j9TdICK>8Q*gIG`dGRnfdMnBc(?z-{66(Z$dp-rPA`NXv1@VdZL`v3
z(m1`ISZLyRtG-@>G#+p#a0Q($kUNn-X2uk<ts979np>Lxk@y9^tUoHz`ls}h14<r%
zcKyKZGxa%8gQxOjCx67qAqHHB4j*3Iw9=wJJl0*pxvJS|YU7aKb)&Moiovv09$|e(
zMo~yolY`y+v+kN@;|2ZXaqtD6mU{0SYZ151OrJ6;Zj-A!n(m&%$*<PNA-{&ZDY(p`
zK=*gzp^WN{w34+vEnLNt5o=#0uKoHuC-~a_Ai;hu&Gh$9f~c~Fwo451UaHIN8+C)Q
zS=lN9i>u6PXi7U_5zzP6pInEN+Lzwpe+aO=a4kkou)U}-0M*ePrM+%OYsAroYU4Ip
z6`oFm4{Zu!(d1f{(_If&4`4ax<T|q6oQ}B%C(QZvI_62S-CXl@tDX}RRfRLFid`d)
zr<6?$Cu>&aP~Y3-5HDW(c>TMPaq5f%n;%Rd_7@L2p2=B_bYNnvALZX5hr;~xRW6sT
z6)#X=n8Z9zH5f9^t9}3;6SK;nJ)6>VWy;=4Je8HJ=h%HuFG^GhJN2KnY*J&*=3FX&
zQy;7%69z(qj#Wi(pi6joelNjJaMY!GA#`kXM#~-{&GnuUMc5>SK}8W|f;1>XjvFiU
z%*q_fva&bLYiX#W*j>ec-OUr6{t3~CMG`sW?Zu+d@=TSmZ{%TsileT6{R$c*(k1ch
znKzSVekg*6TY<>2?E&in{=D<t$Ri|3g%ZcYu{_o4hX?X+U#57-sv79ogwo?!7WMe_
zPl4345MD(nq#5rc90EanU?RY81Fumt>v3D}I$Y$JCHVJGN=pCa@6bIYK%i~lzD7<`
z5cJY{pD=#(?^BZA;P$Qs0k{>=^F}}+ss>m2ZXm|=vQu2C?XW7qk`eZ`&brC|*ZfZM
zzkYWsy^~=VibpmV)c=u&PqUKLpQ9{7lcritl+ag@E=9v3%aVpEr~@$z>p|G6W&ir$
zn8$+F-|y<kCBPZQ^V1=AmTul{Xs3G8p{_R1psM_{ckVsnaMHAb8-sxQ^Fp(s%%Lp+
zl-d|Mz{`8wwb^>LK14vY)vLm6a`jAKLX`O@5jFVlJicODTIj9rf(u<DmjQzUbI^%`
zZiIC!Mt`ambk~R`TQeNmEYThN78KSLI6bT^qY;C8H7%;7aR}xz%q-|5oK)kHLPeTV
zKfgWxBGROO|1>`UXU1>BfbQo?pA>~+TwEli74(=sYYov<Ly}_h3?}9^)8UN$4C8Rp
zvCVsM6ff>9G1j<#)AGr6C_C0f6%7;SnfTTMd$GX^pYeetmiCN;3iSXNwp3LUasX?G
zN-FnI2~9RD?JISTkEQoSMkXw0zI}{chDxx(g4PADomZ`(clmX(nGZ{zQO(+iT?eDs
zl6Bt0DgEoLkl^Q9A;MEVLPohcdA)2|ltEDj9k%9v^i4a<Xx&~$8F}H)#%m-m!KlMW
zo-$s!jfrI@gh}2)u?{>1Tu0s3xS}19?gN>O3HYK|a_2TImpwcuyOu~vTnvu%cb$Py
zhpQEjq|>T{^5y~iJ`dcCJl>`GHAbcqQ<05w%=qMH6&UHLXGp;kk0wv=GebnT;jN$t
zegA_VX)c4ML>avR`*mTLzL@06WZd?$S5k*Vx^x1#GwX(>`>fF)ww+7~r8GGeEf1ps
zo}1*MIku}2#?GphnOrBevL3f_*2#32<L*?+WtxwYl}2^U#AGWZ_uTnq<h+#+hsS+t
z?wv8cB{mXbQIbP1U>2XFHgwyW(L=74inx<ro_cO;=6MM&v)rs-nI+<#HeVRe+;aYi
ztnb#FxSZN#n3&y`7Y@3T=@N^aA>(Cm2Lq^FjqG|yT-+pc#5T9alAY%$=i_f!dvnPL
ztp|}xI3Cq=ZVpTuTd%C%Th@bVdQqObtD|gT>W{6}oy3~$KDN#sT*faCtWx2VsLPKR
zBf`+LZ9>#i2*ro=<}pi8gA<xuZPP*rIhJ>r373|*WGm*lEN>=XXSsjHB1Yq6{+(Z)
zt7LHh*Vzx{?`OaN3PWhEj1%X^s>(QVAg)?vYY#+4kP?&51X?2qbXqu<OXV(53QcE<
z`50btrg|D7f2J2br@!4a`oQjR3lw0xm5{mxbaxjS8q@#j!SeFS(o-t3au~R7Apqr&
z%@L3*l*w>Wm+9(;=S<~I!5l)!ex1n~e@scD59%&|NF+w4;9oo=H?KR*90+*BdTYHJ
zZL4fbW{ty#IjvjD<)OYgz9v9V!wZzb(4SPwG6eJdDeLo2fxUF~7We;!B4)D&txjyx
zowB(Lac*tWomVm@*9sMV(3eg>wZ;X`v2cwi-6ph!;(nAv;^{n|*i)6K>`S4uv<S7l
zHZ(-ua=*@Mz;p&KEGwFDr~-qXha7j+ju#{~R?RlNy2Ytkrj1;WAF?tCwPZBp%*@dv
zy%^WtgX}{t4n+xEqXY!FB1MNu476=(F!<y&v<c_2r5olcFIKd7$c_<bWGw3gZ>fY#
z+-(4bdS=WG1j)~671C+EU$Wt#7xdzfP!G~$tQOb%-*y<UBOD45W*3D%jb=n%7-cBu
zk?cff@k$-Y<jOZaB$FP(q8p4NEJ%a6ifLnY0U%e`rABQq*+*@RETmq<+UOhZ;O|Es
zrmLbBZyu9_SsdppPA_DdHC&RTdx^Mjc7ltXB2X2#WT{UpYMf)O8=%_Ut0g}6J~wVk
zdI5qnW`Q@Zj@EfIw*clWnjw=+Z($lX1HBx7GnoZ9;ojtQOTCNM%DQ|TCEs9*&g<rg
zk{hgH6>5)DRYua{ePGOA3fT1?;ov$CQx_5Dl<*jptS2PqP*|UjTlh#z+#okFBJ|TL
zW%U6_GP9yqb2qVFNK+qcaET#XwC0)$KarjLhG`aoDoHg#qfIVe)JawQb{^P>M)-cv
zhe{oY2PSKsw-VRx)U`i7{sdPT?>NT0H8K!`V^)_dF^;!SI5TeDsW~zSk;cIi0mG}x
zA>8HY`uy*P>*C(&w%M<EsPHR7`rqRr<p0<cHtuGYmin{~#xRr8Q&QBFG?EM7q-dxn
z$EWHQ=;xWXU><Cl=bc8RWxp;3yq6gtla`{PtyL(I4yU^LIU&OecW+xY4m)){jc_Mf
zFFrP0Z`%lN#=ywZHxH0INi>VwIZd}zH^9L}JiyVh2J9)z$L^RZBxhCU=ziD2Izd9k
z*+x3iwj3J(|7r~X*T()dPTUXtdd1kU@BcoD|J>OB|0L`k^ygFD*b`qjht`=4H@`2}
zMN$(7y$)jZ$v4%_2Lj56Edd!wLUl%>Ov6<_yBi4dQD~slgQ-#B<IvP4hmxI`1?Q2b
z_V2igC*3CRxqWz+9NsTJHy#h)JFBN&yDp~Q+jt3tU=R@(^_Odt2Y?0Ccn#;oVr$Ld
zA%J4(DJXing+SmH!9=<>eLaJp++qoB;Q$1dx7+kU5XkZCIo6L<k2g>hAH@iWyN961
zBC!+{)IcsGP~v@B+61I>c0!@zQoAMc9|8id1uQJgfmq?i&x(|>yd~}Os7Z@2`Q~8`
z!kj@065IXXKxYRwV|HY(h1z0;h~L5h;;{37*nv`1;9pe;cL;g7!-NY1kHLLB0`XYp
z5fng`KhLBvV%N{4qTq;;X+CNYOM7#}Gh2Y6Fntk2SwIM{YBF00p#&iQ_(;WOzb%n`
zq6yB@TS$qcB`zcS&+f3Bvj+t~789($jgS*c$h~Q50gr8F_!kJ2+CYnR6~7R(YDxcC
z0h1!wkq8#nW=4uwWciJa>~w9)t+DhcG;jzD>j?|llcAOXwCQ{Z{oB=TFDAVNZ!9pf
zAA=syX3Ks^JC>9c=cto~EUcw&Teei>H<u67LuDm><U~3a;~ZSFbLKRzusqv)KAr*D
zR-SYFtM=@iI}N8Z$B3HUcf>}{5_;xIUUO?>H3RA9b$Q})FN1p+ryM_y8^uBp&&hj;
zx<)ZLXGwqbn{cG;ouMd)I8ha2ylWWokCf7nhkn~m>*xKAr;uj>8)tX1Z`#}R#E_k?
z0m#tkgLBN4eG2KUx@-g+GSBL;O*U;e;mAw+9GQi>yzS+MYlR06(VpkE(7(MLTP<b2
zczMI*<{1XXe=4s1?V=B|ri#Wo?0Uxueqe(eGrR^^g=or-cz0h(>sb9HV9J*sncIF7
zc1|Cdd3|vCZr>n~+Wr>39ziKD)oJXNNo&nf+$7Pshjht)S0v>kaG1aS=K&V;9krtE
z@VfF<u*cv)=Cl*`4U;jCDuC?Ri8ntC;T1f@C!BVS;Akd-x`R%h0zt)OK4f(*RB&C0
z!EEx$oecXBm6&IaB1ht!`V4OeDxy8u8k6zB1F=xUX@GCFhCH}#SX%RBrJlG1Z$E60
zg^miYENz&t(q5!h+sdL&yvAzb!=BuDvmtUtI=TQbmX6Ra8%Ur<#?)}dk0#r`NAaQ}
zLM!v*=x&+LTOwfwVOpTpAjKTF7^RPj=|u}0NQjiuDeCU6w(DntZ-=owFEmvCc2s>(
zFEFpK3?0O=NNym|nzH(LphYAoc4>ON#Et26C<ZxUe$x=3o+&!0kbp95wgse{T+5Eg
zv#QO+#R2C`&DM_nM%wmgFOrXM=-f^Ev4XC?){#O0xUk3pj93W(bDSlVAO>}BAU_G>
z@ZeyuFrr~a$UuPF_do_h!zh_ZFRyQ2*JOhbU{IG9p`>{d!CQRNN1GqmS5ehZZL^%!
zY`GdqNW(C8zp^g}v072i8?NqVo1<lAJts^gnVj(0uWi|iiHr59Sc1{EIGkuNNmw(6
zwj$*qw5#)ITh{8=)=J^K)T_spDXTnvZmPE5*o`r6Rzn0`EwwS&i@D@-4puu}EuTv)
z!79k?2^V0uX(I(X-vJ}8t;?c^15x3?U4xXxwDafp7|~lVEIc^hk!I^jay<t(EZPiR
zEV@5saJ}f;=CKwzW0G6+Z_oxp6m1PtRw4(w?BV4a+M@so+(nbD@Lw0FC59PXUP_gB
z&T2G1+!o2|m&UXohIGvN>Y+bZ8w<^dv|HpYHJaG>Rc@$ZoZ@km5b|*#aoXI`*BVgX
z!x2$OT+Ozf9{4$Io0O1=96cErU$khIGE)9gna@rp&Et4gsi*g<WIUHy5V4R?potAR
zR}LztWKBQpU=rcUg&whlouJ(Y_k{LbM<9EU{*)<3IkrD0;jmKr=0LA$1t!S%u;#Tw
z)lTW3eg{h|`-JzKm?JYoYyEn9wCY%Aaa$M317XgFB5su!>jvYzRLWB;B;~h$kQr|{
z<5^a7h*c4`&x(~5C6bBfp;hw_3#3;|vdcw4&h3Q+c3h7MWzM9fD(u=ed;8hl@Y_7-
zP%3qNXNyNRm(f&UdU}i;G4&AYg0~y^QCY&T5pWejhYhiET@F4>^|eJXMldG<h|gr3
zP(Pa;<QFb&gHPG*JQymUfCx*9B*{6_9Vej==F^>kQtV;h>0BgJun%wCWMsA{`47n6
zOCQkDz8zw43Cu#{0cuytAI-;o+l8f2_3o8Ny$2-%f{0zS+kd(|@_M~wQ6PQl)eXDC
z8=RzLF*T4&E?TP0&32xTU-lP0jPAAipWm_Y_0#P_0?RBA_Q?<`)^27CaxS>P-&kb2
zwe_|7vy?`lzZF9V_fBlHg^CiZcv2NI7C(qib#X5Z7#bmrL)hAgb>%wG?=oZ2!hU0e
za=yiQcZm*>uU}j(ZzL&yjW!_-Gr5xlQ<`1>u|ccj0kF2-+GodZADvvLQe+aRgh%Xb
zH18(4n>5OR@F5<oeqiNJGVx&&?lDcs?(40$Uu_<BFbLN4trcC=bKG{$?9{%d!g@Pv
zC@=4}25vb~uhLVBTse`~!+$y(!Mv2iVfaoQpkCM5r7Ua}KWZz(ZRdC`bxz}-Zs6~C
zsCU6aGk{t*FSEOxzQ<r4-TOZA?L7QV!(m#J*|wJB-f5QU+`L4;e|qj#s<uA~?dL^V
zt?R@Mt=;`0d!=B=&`1RIt;Cyg%#E607O1z*jZN0v>X<^AYNd~;h*=-jttJZ}v^qRk
z7jgsda)<MyZ9kpU&5~pn$=Z=|kw*awGxOA%B&TEB$Hj-R6ORhFVtwoO%x~hX<l6D!
zrRML;&i%Av@Ab?E4!|Lu{_bO?Z75wp8Hy)Xt1mj&Tfl7OyCqJN%9jJ9g`Gd~8<Ful
zJv!g9<uLdehk;Ua|3JVMAiWXb04;vPVDJMazT?tkzf?yqV~`m^2U73kKnrz0M+w|{
z#(J~p9PpZ~1gJ1dhs{&cwdPgXC$!w^B2>*B2Ni$jgk%E)<^J-mK^TMAt5gGq3QVpT
zw8Nt5SJM6Lj>+als+NWOHVaD#834(;Q%Ydj%d=D=Kq4d(BVIT?jFNsac(r4;{cErL
zN-pWw8z1%uaO#j&w$8NfpYdL$HMg!7r+e@Trvj6+hlF&MdSvaYvmPF_pUWl{${U?3
zpQXJv$Ylr?yA<t(u=%W`9vWrZQp>mH(uZsOCok?7rl7Z|$dqdGiDq|Ya&5!!_Ay=0
zy@>^T)$F|iu#B09tTMa!jwG7XNe)B^b*F?~{M*z{1I!@hzLU)>>41gf=0c*<L2MW3
zwSz^M%ZNpqYiP*stl5Hfs&NV$hHv)^)>7>k3HW3`|1h>B#E}I8U;J31uoLSqq$#jF
z=T#wDF+IOBcy`Se$$Fwg*UqJibDopV!EnjR92wZ0RlrlC-EHI0HfDG(_UEp@cVWG^
zhI!P#7_&WVZ-rg(8Wn_#JP!i(cj5u15_=E?<}#ryVq$lUaJX0*(<ZGVn!-oOjfuQz
zFy+heV&);6ktsH@eYMEG;?i6U13V^a`CK*DNQ!LazSRpCqSR@wMw|iaTPsd~jd1OG
zBt>e2HX6Aji8+8Mp)pIl`y79=@J{j!y83k7gr<_`)M@DnY$&5Xb#U)^WuR#b2WBwf
z)Z)OdYHZgoMVmCA5(OhA&0`n6Ki%pnsR0>O55Cesyg^Qt*|0**Y!>A!eMkQiA{`Fr
zJ@p`T3=g|Ldd@4Q{c8G)brY<8Y%u=(b39aqW(5`q=+z1^TuxbxF9pI$%%=CuDVcSm
zWWc0n1CR^Cu|oiQzUc!2&HngsxVr6oc^c|Uy96Kg;R6rx*5VT=yhQaDzp?SaF8SyT
z_XQv^#)0STt#Pm4`u`k8+*Lt8ByEM5<*TR%;`0aIojcPz)@pN+=hCN*P3}62JC@JH
zB+F-L`@Y#+iHJE4AD0<7p*dlGe|G1$&wj~$g;ZVY1($U36rIp9t8!P^{NO6Cr77df
zaa?Gf<s1^vHVCKD<#V|^uf6%+CN_36ubG)6^N3#^%HE5IOTB;KSgz+lYo6j+nT>bv
z#y7{c=^dbaviY06=ki|OIzp-@<xSdF+2%=Z_J)Ku@J3<i-hF%istKJq70m8_I7p-;
zV2){4CzfE9w(Srr-Iln{ypzFj=<F3$#sxgh*kvBrsy&Y4&-~IX(JHz0E=1Td5d(ga
zU||TDY_*O6%l_zag$J2(Mcnt9V7ufap5V6ZGCUFG&R2i1ROBxIH7?`p`i#qh;p{+*
z?i6?XPcwIq;d*DX3c|jtpoNJPbXEKZSd$C)0h8`=E{mzc$aIZ+YIU%~)_Ii_^x1pP
z9n>9#hy~O;o<0do0q(gU!x~{GIkBL>HVl9K`MoN#k(@`)GAnUZQx3Bh4wAuN=*H<&
z)<4>pw2j`OU-xXc^Su3=RXW%ee^pp|(bpxzN}11Yr!P>$%u+{7xBi+Y>zB99)@??x
zIrDe6<y@vRLY+|#L_~5#=9+rHh3|rbj-gl_dD%MWTS1+)Ycuf<4H&!*o=UM!p$__t
zpFhIJ9du5jYHBu?5?Eu}WN6pB(P(p7?G2uveg3;pck*;E8viBo2L4rxlam4lK>_-=
z7MRW8(24*H5Ks*fFwkE*aQ|rr`i2%J_BKw|fG=IRe?qsofzk}rfPkKGL4f|M^8MR9
zza0Jt^s5GK`%gHGhbCPdArR13`M)&E{td^C1_JsLAagXb{!5PTpSZtk+QI)D^!0R5
z{de5|H0IwW*8X$0t=s?5!29R0f0tAH&)FL9{tt?5|Aha&c>kB?+P|&w3;usAu>I55
z-wUsQmHYo~!AQXWD7OAr*6p7@{+_`5&*`9{{L{x*!S<i<zvnvsN(TJfzT^E3{$Hbi
z<^2BX;qQrtzj7k~HZsD$d-(4R$v++ZeO3SGE1dpM4!*Jza#G-b$<+bDeSO}(5;fg)
JU)&0y{|5&_dyD`8

diff --git a/example/src/main/resources/static/files/firefox/web-eid-webextension-latest.xpi b/example/src/main/resources/static/files/firefox/web-eid-webextension-latest.xpi
deleted file mode 100644
index c52b40fd5fe649f036b7a704f8a5edd8c82c1285..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 78545
zcmZ@<Q*b40u#9b=7#k-iwr$(k*tU6M+s<xm+Z$|bdt)2-zpuCI&b-abH&rwBRo8U4
zvK%B778u-r`F{iXzk;dBPg_eDM|TG^ppEN=zr7X#Px{UC2SQ7M;1<<S`Q){%JhI6t
z-eDOwg`ko0rY0Sfag9a;1)V!-y8gVIor02;dA+q!;R?%{<wz(k8Lj`~S)#MkCV@Wp
zHpF;#8={~9{KkI-%{Uha@cs4JWC_MiNks`5XoMVPJ_rM<LxV-LSly2hCb5jqwfDna
zTwVsJ|5}0A@vjha+hgEr2?|(o*eXQtJc4Tq*}deU#XTry&?CC}#X;e%QM~NEb!e;e
zj8d3P)@I_yN1e)c6KB;ih~T#Un_vNK9ibF;EVUy7Yf2jB>4Lx*>^kJH=iAoSIo@Hq
zcZKvKk&4R@8niEjq1Mo>y&&YS!{lzwAJhtoFy5D{cW2yF1f;YBag|pe+)XTQYAzz>
zgsdy3mk$O)`k0?!7n8V7{BHpBZa$HZFbqZU@B?Q(t<~h|b8^@Fo^m%y<^$vJ$b|#c
z&lr*K)60>_FXLI?oxas;BI4eEm)~B_Zhp?|B)Nnn$Zy9KtB^H&Sit~OBt<kdEJz(0
zygvhQaqtpg5Yel-#u5F<W<kYB*ef*Gt%kmglT?f^ZJ#L%UjdF@PJV8;4W2%3P7j9c
z?$KTn&cW1RA(*lj;l|W3FId4m5<kUh{|q4OgDHZEac9K+orK0yV}(S63=yJ{_q;Ir
z)QhKyprk<@MVD-bEQFvX&DGtEX@sJHqRCFOO{E7lE)tp}HN(OM)1J7tb~UAx*s3S<
z6mJ1u%V^|QDcu@VQerRtl$ktyyn7XxH(o)K{%kR;ir0t6k(!yfY_J10%eM7Rkb<h*
z1u?ZTl2RJp(BpVc1LhWY!4QyeaFQDk{jF&5=_Lp-q?y>6$_kHpM8e12nb>{8I>z!e
zURuiRRBZ;#G)@uy#)gNW8Mt0i#6-+tFe<{>sz&`Fo>C-ubsHzZ0HMhYlwrMtj$1{l
zbOPcZZnXB`kifsfFq0TZL}1P+nRX4k$uk`Cv9;*X%m>(5HKt)MEUgq~^l}LOjX$`u
zQIS~G8z3yr(@MHwbc`32g3wDtc;KLaMk_yOjU{nm&G=HoB3*#fpDteaaVJ|?!V(gp
zzITDm#GrzP2wiA?P2)`<jAIW%uqlvm*h#1E<o`q1D#*eMDHaFnj}KJR{n1adYfkJ&
zVjF_|N$$fK(Bj6Vw_CouApR4$*oPdSV5Vm9uKBof8ALA!ZZ&{053s%TaRj$Arwn2D
zK^C^v+$GKf;WP2had}ns^*jh}xnuPEns@Mg;L7bOq3sYpxGYkGgsApsnCi-wL5Wp>
zQmtP_MQ|?7gy9*e|8_A$whM5~7109*sT5TrZq%Mkl;a|>1dhO}VFFQc5c?5{+6bSj
zDC><F!)w@2)zBqHj1+RF^^D=>?cUU9tGs(%wzor{X6l69XqxIPVn3z*4xvL!?!Z5=
z)r^rQU7(t($au)#->#Q|yUn6<v>`W+&?)fyj>du_j>aAwMWutUg0vF|(Cs|*na2^Q
zPqdUv@L5{-)L}vlFTeLT2nDk!x+P&bGr}(B#y;j&lLSx#`Kbh9bwo3(6aLWM*v3B8
zEiXkjJ|4Go_hGR1^ry5X4r!Oxm3Uqk>G0B?zBA_thS8j}i;QaouP$)jrEl&g_kTp?
zcuSo!@MtHj|3QWR?}y26O%h8UaOsB+PocI5!W>^kE>aTUq&DZEy-|xt5zEE(YAhys
zRyLSnGGaC};|%2%X)u~rOFKtz`+ywOfQWGyUpRKtoF!?>5rOPWpU&q1^-_C`X{lZn
z&8A7?4*pEj-|>shPaj#OKoLH;IXTV7RHYj2>$i(%jlWB9p(YDQ=#2QKq90%Sw=Ak|
zaGfTpLDR==ejWO!HY*lZkDhD~&oIqgjd_(e@phk4wC9;E!u9xU^sEDMmZWP@nn-RD
zb&gQ^UPVX(jhPasH5I6jUiN{xz@$TiZgXhbM5tdffxFv>m)AzG(JPU!u^3u&Iv?q6
z0a)2!txH-9@9T==6!1Dfctu4C#dDrU*&)(_H!Z>`!L~TbI-ERs%d%K(e*<P|7J{fq
z+|eURCr{9wj5Br5_U49xnFbOnW2waF4uARgLAo@IiD4b`q6AI<g21`j9W0f97bmaT
z{h?;#OyHb)D+Z!o!t|*cY@KFhZ$th>NclaEehjTN^&3NzJ10QA#BikI`VZ{Ha7&Vm
zRq3)2oj5LJ@4Sf*5|Rbl5PWu-$6IgfU$=z0_##wgo&dTVq}$$2XB`vu?V%!M-Abom
zK&1I=y+idRROXGTz8UKjWq!!{FtgnZJnB}sk>WV@NfV~HB{XLFAF@uvqY=C9`MQ<>
z)=137=DpXyz37~bcai<^y*2j7qx%OYC|h(xdjmrcnFju+iGswyJ{~4Z2XiUeQ;aE-
zq?bm)KXMbd&B?dcD;TtIQsJuy0O~l3QVNBX#`^6mK^<#yM@4BeH@We#uo;w_OnwbE
zv-q1^{j=|ii#XzTwqMgv71A@A)YegCx#y?5(`$#%^f}xi-R+XL9B!zOgmQCiKhg5@
zh#j^I+}HApsD81Fd@yzb8za4J=#P@4`5AEES!KU|;TMCPMM?V4Y}J}fCfhWU89EMT
zt(=&o>?bZjK0BvdTP0B$=j^u@1L%DHmJ=;oQufs<M+^nT&vukOagT{q>8!t8{-(I@
z7WjRnd*m=WJq2POB;miWWa9m|=G`vbvNXSuX1pcl{u`$xCH~;tu}eUQOTg*d$Zz+H
z#}$+7qN+hngmjTNvuw_~WAh{dvb0&oKXmah0LEj~8w5=tr9FyI*>sbUO6Ohs$no(F
z)a^H!Su4*=8WGwqEGo*1Zc7MTR{Dt9n;E2vaRki{2@<EHF%M?VQ#6++=3(o=F{rLF
zT?<yl4k%vW(;+N5BDhsqduazG*wmOg#>adi6KEfU+V0MBPj9#e-+IMfg)$SQd69Gu
zdQNPJo8Bp$L+=Js)jN~*Xr*7%<kq;9aGkuu?>7cZh4xi9RUn@`*U%1oN1YO|hp#{v
zy{mx;y0fH+!2pLDcwg?-Ez^$+vd5jUj$?%+&H7y!x3C1H^m^Q3v3(RekEOP}O24F*
zlMJ7gcmApd?(_s$d;>=dYZg@Wi=b`!#{RZ-QVwDYrpW*e?Y!}BX(_qDN(g2vQfEEr
z1*L?->C^_`$m}q|f*^7>0q(6BIbg#QE+?<|ojoUou!7`XkKi-lRgyaJ07$L{@*D_`
zjZ9f1(w`aNP%HJ-iBmLSw-EY8;lNzXVf{)7AvZl{6o+y+NSe@E<!$g1SyI996%e=^
zBAX!)%#76&dKwYw-{9^+2!&ttslq_6*k}LwNZ<@vINQxysd@XtDTx!i>*T)*trJJ(
zmz)P&y2}t!sv@4^AWURw3!)pJ0<iOi5-L&Z8B{V?8mr%K1G5t*%Arl%XQkxw<ySP^
zkWh$?b21!a+G4o&3Ch9L_<Ng_OEXQ`EK7KO5<j)mHe-8Y*Cw-$pff1V-=K8Ob7wsi
zmQZN8vsvn4?b6e0j2#+m;;r;>T)EMuflS(M5ztS$dp?&6j3;AIw@=u*VKtzrr#L9?
zaCsa!xznf2-#hSnTJDCh_Z#mr=B7AHMYRJZ;B%u{<&9m;9TPP5I3=94wdgS7f8ZxD
zo+9Pl!3QV{$o=3gKuS?Fl*u9&A=qkSWyJt8FhG?BRTL=G+{Go!jJ3+*?>*o2zS!hN
zE?7L?wa>_}tBDhIGRlw_6r?=CU(s}qak0(ThvHcoCB|X~C>Q@a4Ph|k{2wp7uI1;+
z3_KiBo3W;K_r_}bNypz0LBlHw6fM^v!38ZmP;7j%9hFiH7AY2ssv(6iO`)_gR%{CK
zRfpmwTL{vTu(X>?i9`rQ+Xl1Z#;!48vu~CHZB|k3_QgedqVq2vVDMTP44QFBo3loG
zb_Z{7y~=C2T_;&M?;nL$>~RhbG4)h+SJfM<f3)X-Jw;}O9~xV!2@&P_iZlzeXAN^u
zWDIq@!(gfixDha{Wyz<#1wctoTizRiCa*>fOo^o18TM<)RHeU)X0Xt~4dPA7SZWuP
z2op#W_^4^dG~h18O8a5kY-Q{`7)}u!TfLS*L74G%MytgYD~b!VMtCuepI1M2*O3IB
z#OZ+WK4N=*@h*(yEnnE2$;+X1Mv3va(ye;N@l>E?WKYYRC-tTj=5Ksn?$EZ8>TGcR
zX-Uu@6E>vMxlECw)B!>Sjyg<A${@f6!=IAy6^?NnZn=3NWBR2w2dSV4p2}LHJr6X0
z`VyO$xe|7;!0fWvW<%<RP2$$2LtD<$SdzB7;y-65bPa|D(~+zD{XcKP$#s}dYe@-;
zior}qK`|W-Ti-uXyRqIZWTqXTo))be%)R7*wq1;VKF;})4}!wvzN4=jYQY0=e<z~{
z8(*Lw8R)O!VQ`s8GS`G8p1%=vBM$V8+r9>Lt2C-C9CYc?thF|*?O6S3)1vl}WW22>
zdPGIp6cPD5Qm_dug2R3_rFjpQ7_TQU-(RDLr#V=1yoAZCI@qKz(B07KsI&COGdCs+
zTX|`fB+SL#fXdOTs@<Z>d6Ai?wdv{M5#o?pgxdhwTsEPl>R%kC&J^GlgX3SFpWj-u
zviA02Ar5Wte)L5pe%RQ5qK@!oEjX}1J#41tsLdntMl~hXq#+KU3BO-CBi%x<=9TH{
zwS7gj1jI49j?&(21u{PM+@}D-D6&uh*qs2Bfz4n?p)t`;q81P8qknA$5<A!HdPK}*
z5V@fTTSqPxTo?03#aUi|fz#5n6wv1832r}8uak(ag7cq18}>E)eCyH*cvSsuXsSg+
zEM#Ut*{mOJo-W42z0I;qs`edVnTu+%#`R1@JT0P{PNDS8K$M0kfgugqGzH9)pkMO2
zoKlroT)BVz8j5Mtg4Ap27bA>B09uHMyaKe$0`eR~QTodmjYD4SIH^zHOS~C&jz}@{
z?&S{@%F*yJLD@eGhQSKj9>veSBrW+graR+VOctefu-pFTQD8!hCKZUlcymHu+ASLU
zLoj+sM|E-~?mv|sD|*hlhTwhWLq^QXQ(e^@v&Pj+@zUO-OEp6R2d>rqIt%MQ@M81p
zDbK(+p=(f>@kaBcG2P|LH#L&FG0<U+#FFDpsVkXBPSYn<iw(+O#F<0(YsH)R_zG2N
z-9*CO3k)J5_rqr^wk)GM<xcQtCEb75wUT?pxav~M5p?lzJPqWeRt04!ezUKYn8tCl
zuYM3HB~z-EnuIXq5sL(6^x<{R;OER%$?J$fAB3!Md|SupyDu<k>lmtEj74Q4CHh#z
zFlScQSK6pa@Sr9^lQG7Qf7e%C0F`@oYt6Fz;w7wDXqg!X$_5|j$*WXx>Dkey%7bDJ
zGFb&0TPFC~s$qUtHvE}pF$4|vGZqyTAug0y3$%q|r=rur=fjcLX~U@=5#THM@XAu)
z$b%v_56QT+e>n>k9dfp`nWm4#MOtWig2Jx6wCL-X54M9mhOym4J#4KE2a$fU?|O?I
z{SoM;I)k!6xOWcuQ#EZa1Nvt6`k-t{Ur<|QZAL#<nSQjG6!ru&N}(U#*GU4aimdHV
zel&N~BG@8PFB33kG>-|gshqf2US7Q{wx@g9N1Qo15{3LMl!N;|_j+)JEtPjh)Zt>l
z&0lYowHjw?z%yt#2BxKg5cRHJU<#C3rBa#tiJ4JC?P~exoVHQwC{EwfS~U@+n%KgY
zsAet)Q7Y2iZBq6n)BmC!)iYCEzeajg6%l{SDG+<mis<9(I1aC_$Lz|PE0MY^ni=5U
zQHPSRLKa-lsIm1YgVe${Tb`WA*?0t23C*DyL|_1>2D5Sw2kRX|6(BN(2_}JnwqMQS
z(!TSLVHk&&P7%Vtj>5eGr)X;ti)s^F&<i{Q^P-q%0AQI-ytZUa(%|KNAZu7Itxp^0
zqorc!hp+06W=*q0C^j|Qc#OQEn{oF$l>B9;J$<}FLb2O_K*Ct{mx!B3kt#-eRR4?x
zI254hj4EOCJcuqItkaGCe8MbK!oa~eJ=qvRAwhCunw~VzDHgN-OyyZq>?(UyP?_)d
zO8)$sjEq0!p8l_Eg|+pNR3Qp%QYdSfCR&K6E1a^GjdnUYC3gBOdWv~%r$9(Fiq(9?
z;Yj=#9?E;k9#X+SNve(iCUM^-_c3U~;;)P3(Gqgb@D5n^ejpSKgcjW4uv^@{Q>(o3
zbGBnT^;y6B%Y+GPuX4)&q%;$;>FIFjMvha32=`*!c4%SJ!&bp<wTdCJ<zkU))(5Rs
ztkxkO(yGl(Avb1}95%GkW(eU#KO*o);Sv&xBM1Hl)&w^|eWQb8E10m4x6YD2PNk-6
z4VWIx2u2jPkhZFgmN`=kGj{+@{8e`HtyXHg4!=jYSJ7u}^DIb9rJPE-Y%H%bXKT0H
zoS(}Kf{q)>Gl-#;l0<IOX<Kk7D_XM^$}c7HHw*Ho!}KLe6M1<Cc3hppCy+_8%tW96
zAm`Wq2j%0yaLsl%-TOi6tDONX-%S5nqvH}a%k$r!b%(X_MN75=n%ZE^rp7&YBw{VR
z7U9;JjQSBY^(hhSPttrAh?rT$JY4jcs2AEQOZ$_ZryGJaO6(5=d_Hs>SqD4%lW~ee
z!g3(8SA7-}CSzpdT8^rmSnJF#+{-=Ay{n?K2kjG`fvy@g!t$pPCoWYf)BZw=LIk_p
zKHE0p0&y8x>@$U(5MAj7__q=+Q90;0t|O%dzL3^H-`}P**DT@9Sw(I|ly&Oek{MhK
z_wg|@5_^^6bV|}Tl*oHF5#6j&qJtsQF&0%-{xt-+h;bN?%%x+s@STXu<B30B@ZJnu
zE*s+~^{myo%N5iXrf&wn8k^C}0nfp$tN59<y1531JU`+94^~;c7asl1@Ca~qg>zQ|
z5(h5W*K%N0^)%>4AtU&gzF@ge8NktTff!8jvH}^CV<tez_C&C5MjACwkocq*65UI1
z`C?O5dK$w6ZsAdRI=m#-Z#pR*c-lYU63jcANvqt?WTqi)22pd+*Rf$GaIAZSTcnse
z#KRwwr)x(P15cv!I$Ev$u@p2JQ}i7~mVK4(6E1U)B5S8IYy88R+yrqtBivaXF;REC
z!gIbP(e+;Q>LA{2@ajM1gGL;|zo{ml%M!A8LQqJmVU>aUGkA1$N!xy=`X9EfnZ+$$
zB>7@A|ML0xeg9p%u3=;6cIhr|*r1`g{$M&3*KU7UfqrOEmS%QzmDBE3>`EHTVLm9v
zR&}fe%-hv8ZK;kKu(T|1*EfcMcc$ag%Wm>|gp0Eu)zIi}DU3eZsK91Y(U?5lskg|M
zdGKYY7y1ZG%;{X@h6e=aZ^}pMo-bOeA4X^3#&Cq*1M$=;BED3j;@6N%<uXqq@fXcu
z^%con127PPkJBW_Wr%6yiimDR%mt&J$24F(QcXM=$aGGE9<I@~h^h@P4aoO|NA4#M
za6K6JF#o`!HL5(mg5$p{t<|nc@jgO^INtt+TZ(oQ;qsj1mN3_j_${=j6pFqr`na;&
z(Iw^?W96mKIX@>4!dG6E7gYlHu=GQ8dg_WZxbhPIA;<OR!uq1j^=}&mwY8l&CAtfq
z+j<a?hpP|N>a{tD5(8OCTjz7IdIddJIS0w?)|-G`4%1Xf>FgJO<J0WVB|~-3Th0k<
zRgw^e$k|~BVd_Pwd9u|?aZMZxJH@>bvUq=JB~J{;{U+D;68#E@r(<)v5)aS|{ir09
zEP{<TxG)$cIUi9XYyN~c_r<LZ;YI0SyqlhPrxi#nZ&s>)b5w%mewTd`Joi$>pU`ju
zP|-MMapLN;b;TWuF>>GA{dY4~#>1!6R5iSqyzE&<GBGqZi)C~#l!5LNCaI2F<C0P^
zwL2f;p{Byft75}B)3kjCMS;<Jx|X)@&g`M9OWV1JK~*JOzZA)VGv<k@W#@i*ezvbf
zP9D2kh49bAL3y{RBrA}OR$i3rvE;Ct3hS$!H$UJwYo|^{acYL2<5@;Yh(U7l-oGyA
zd2)C)))*3vV-`fP>Jfs?s|?VVUg=1HXH%N+TC{E^vXtPF6XprZEo|{5m6yhr=wri?
zVc3j1Kj_1IL&o7k)4Aeu-6+C^9fB_jHw`<NYuYtG&bmE-+`GZysQVH%y_2pdkrrmK
zuO`|neR`Hs?48NlB${%&PQqog7wn_JCd3gTh!*BJ?N1Sy-|^0+cR2R1HMbjgoK4l*
zI%9_}=sG&PQ3T_X%%hG{9=yt`auS*4nytXeZj#&f=So2ul&G9`swNq~NmrX(DUL^m
zcO_5M+)95GM@isr49hraM@quF`1wu0&Z@!p^HBaKLm;9>T?ly2bB%7U>7^4RTO{;O
zI=J>0_%?U9F4g5BU3mz{yLVb!lVR;>LN@^Nu2<nK)55~dH{OhZf>=cXi-z<PPn$ec
zE%V8`rt%Z=jCgpPUCwSEAt*cIhZszl7c1?uDQM)L5Vyp}Y})C@(SJI40Zeg_QcZZy
zwhzBmD#_r(W^mOpnwV=Tu$ipH=v(rj1O`hHi=4?BM5bg9vbF7)sb$rxT#Gmpv;VXS
z$+gjil_T1_7nFIa6cz(0g*fc&cc~7Gd5T6V;My$hlIcp)Tg6l(ER7xyWUaxO(~*f3
zR?5?%P{H87IJpHOu>Qf}nseFm4G`e^;%SqoLR5M<nnmbUhZz3=<4GzlDiO=%7CUMe
zQTZb^&bakyRiQ(InwshVocB7(E;}k)8p>oe_3EfoXj@6^*}j-m|8NXnAGUK}MOEs1
zUu%L~vNTjUIO@6bgE9;0>#v^eFC@oGwHgEcsc|Nfxk^VAf&A0<Z#5nZT-@n*Ecj3j
z!CSiTElsUI9wN7r`MgEY$B(JY@2|RSF-cXaG%n_n^PMRPbEndj!rrhks+af^oy%6g
zbyAAGJFH|zm3B!$jitKMYoWk$*`UQ%YZ{JJ(yPTyWC!B`$N|l4FO9JuMC^F$5S1<U
zN9#$AJ%^&Ws+JrO6g--!MRXv5P`ah2FAM_d#C_BmJR56BOA{mt`U<S!qGYE*V2fC>
zSUC=B{?N7FP(T!cM=v&!ojY7DU|eAQ;z|BiW6bxUpseqlX0zC<9C?QM`T}lDfw7qk
ziFv>Sc5qfyrMNO{YzcH{2GV6lMES6NJiQ^McE?JLwQG}#?lfru7d8I#ntOS5A&($f
zBe@kj<zaD{QOvM6gN(lxu<j?u2mKS<l#eO!n|yx+TmAOO;}>eh7|9#%eCGEo36jtC
zJMMeW&=6P8Cka!0ye*_rpnP`jFEwmryY98UTT66(^W^EtaAlRdgezG<o^hmqNFDmo
z+r?k3nxZOaCnza=9bIaC$~ENU#0%F;WLm#RW~g&V+Qucr=uEhO*p)9{-u#FM_gO?>
zCnHHw+KDV19<&@RJ6E1(cWv&+^J?$ULXNLFy!PH1+Gp)2GI9x0Pf{MY0+cNp7nrqw
zSW#B3xX)9$Pq4CK8-4Gi6*h2U>cjr#7)aqzCwOz@k<FrnXU=3b*<H|*Q-%ztx-Ubl
z*F4j%&tW`hQX9xflSi9)7yMBq@x&C{M+whR<RAtJs9{8Xu<uCxQg74O?M&k)Y)E8R
z3bIPYbYc|WBI63g$5pkk{@fjw;KMeL|ESke5O2!twkw{4x*dZYB}QP7z@la}^;C?p
z&18f~HXe3_>xpg*7IeIf7`7YD{bQ>{3~>Mxr#*0uO0i^p;+Krlac`HPNQ%P?OsnSp
z6&}?TSQ^66&!s4QlEJh~@Y(sbkjWLLwKXVrh)Y?TN|qyUVGC;~`<qqkADk3iD%6>J
z>g<mas8-7@UZSJCs9QV@30hnWGc=MZ*S+~%e=pnTZ!!(^#^Pybm38wsz+&VY`*0qS
z6VLy$h;mNI)?`}>UdS=3l!a`is^*=i9*ULn_7wOS?2h#0R#=cR)W6I4DiDR5P{ue)
zg}3^t1zXOcogN#@tKL3;ao{~gScWe1tfq8$wW%asM-SAUVetmc#cY2i{Mz4O?y~vK
z%Du63jhb9z*Ce|YxvBhUaJ_qT(Ogi?8zG^if~9epha7lHf{gm)J5)$s{eopuTZ^f!
z$#_+!$FZhW=hHYw3@Q)sHBRn%?q{DfcDnhZA=PCWm@th(XQbj5$S?NtVV6i7ZNOTZ
zr=b1a;orV7Urh%U`l?2}mBdzZeC=oyA~1ROCZ`iiQySwB_|_QXilY_nTa?oldQ^gi
z9h2%Rd@O!Hxr#|gZ~Xiweo7e5h#~Qja)cFn2)HmpLKS>S_#4r+dlZAq*>I!c=yjv^
zUF_+SO!o?Vvq}Hi`d#bk!QIVG@Swzm5+Cuou-&_f-pFAXe6pLsg#R1)t>V8|m=xc?
z-Iqy_@?;&LEuZAbI+R?n;K1H{)4@eyaM;A@YB#x?8tr2OY#x=Am;|489#FRpU$m=C
z?7lvHXc=T;sHC^Yj-1$?vq_-~j8;Cszz33*R{pgfr^leehNAZDeW9vQs01I;<m|&r
z2|c2qZgYmP?PQ2mc|ToLKC4~t);}NDlMKjb=%VPby|UIvk<&+fo{p6qBuL?YE-V}@
zcy0F7%@`vqYtDr*Edy#l4@ykF`yz2+r9!`YvAHG@7^GegAH2M}1N~N!n1Kz1`!`Oc
ziQH#Z@b||LFJoUSP#gwlhKU3$4s@POrzGz^Bw8Zr=ILTv*9HIeLTlglEp~nCFO-k*
zi*>SyxPZ7@NSoDi=o+O7xdM86fN=itWjgw#@9{Yjesk#Bc6{V>doJMnh8djUrF$7F
zV1?ibC8xah?eyV`u~U*ViMk7MG(4^=UXlABNsj=x&rT`k)XC9H05={IO8mA_?t`K)
z$=gr>1L;1-x@kRF*_`tC-6hPsVKz#9zMq9la)I)ojN~84sjzVoo6q@DDy_cQJGYc%
zz6}Q<q)2K=;W?q-A;tWl9JSZ+X^a!wlb9(u;JwJzzl&WCuUA33++QfXd1pXO+49~8
z>@(s57V#G3dJ#+dJ)^kGr%b^fpb{i5+rtv?H9i{hCo!qdXJS5^&NtVp=gy(^>1RVM
z?zeJ1;Bd_?^r|3__{_;4lZnX;W|1r@`FTk&Y08OC@7)Fq-pn6T<_Z01MEgzsEk6r+
zytsqB%4DMO5Bz`J_$@&gmOI+PMO6|-k^Il(@o-T}?$`nLc5ZGTPd{f59~vJUk7Jh-
zrcR%qwQ{FsuzQzH1B!~Qt@r409<iV0U&6TWP_AxODGxSxRa&TM-3YDx+2IZyY5hd~
zXb_AyU87fiEx~X|b1<XL1fG_wKx%v8{Di?hK`*_!h+xq?uX^D=d?~7)6c`(t$Zx0#
zLRx}E5riL=`le)kNIJzMq5utbRj7OD%&OyF{9r$}-@&YBz+2D6As5I_V;#NnPPzv&
znE2D`{@LvzumNo_Ey-K0l5pF0VA=42d<K+30NXv4M_&d$Uj?tOHKdJIkHtZrx^i-7
z%cbq3pi_1FYTG-SWhDdGS;rM+doYq2OgxVW+0;(ma^MbbY^Njc*NdHDtHvSOIbO@S
z`tcIJXAha%FSbVf%YPH&jzaG(*FYm7HAXt!@36|mT!QR0BBz=&rU8shD}S+FV|w{O
z1I;b|0lbwF4G$C9+8BOx8h{16^Pq!1>6UK7xHRE)PBLwe_kJ$#4Kt<~EU@o$^LNn%
z#f&CZ%OYC)-yZaCAq-Tj$1ek;t|m_-bDW5nK9$Fyjwc8UFCwSbEJzmrRE4j#3uiYQ
zwK7NsodKfNrhA&w^ljweSZqv&1r-m?AvqXLXi*RCM*on8PLmU4N-ek@*Si>NZhk_L
z5`JuII|clCRn+PszFlbXt<?<}7nMl3sMveWtV#ILzREsDh*pAFH~~~$06o^r>h<U9
ztnX2wU2na5jL&^Cy|z)!_1CDOSX;}LQ2$Cj11C!}g2n<IlktqKUzs9omy^OWW$)mj
z1*QosOQrhJjn(MNSwq`9&a;*ciP>+Is1WjB%2IOvx-+8d!2&x9?YDW4!dAd$(#@z=
z1aZ@&bH6t0JxA<%V~txsu9nJ91nG9DAG0zHVKopb`ocUr_J+K=(6jE1e?3de!a1tm
z$4h(eGzyFTWAC>ffYWrs!ChXxId{=3P^xSu-Es8@;`8O)JNC^*SMYzy)S4t*lrlv(
z!f&b#ji4tz)&6>762Iz_+GI!SX;%G)E&lN1Dyv?G-k*9-?V|tbY}j?hCDxpnbamIo
z%h`Tp3ws05Cc&Ewg*zw~m%6KK>_3&>E?EKx&{hFB`wr)B<Jn&*l_?rqsITdg9NIQo
zi<Hfl$8vE%Sz4IGdHe~i&H5$(f)b4_oVFdRplp2u!3)%TId#;Ja`<-E@Ag|2>T<Oj
z17{pJ)K2miEKh1ye6_@6dGY+sHGeRCx~AfTFFpDY$`1R}@uJr#Lf43%m*ft1CG_HQ
z*U<P+*G2>wmGh^VPYFjX35Fwk!2=$3^Z+F1U{$EZfC5Hdk%MJ7<gE6yOyyb4mw@DF
ztw~qVNl<K@QWU#f$M9CP9%jqmq3SSC!Gm>^b~beTwL2$4YW(ZU=b}DD-O97=LUcM8
zg7uTgj~+YdB){X>mB{Ttqwd%DdZAV5K%dtWEk(0DMYDUthX%r*zI{x9(76zbEF;7a
zuEZjtF9P94<=QxH?<*Otl?g@hwEXIwn8M0G4n!%AX5140a5e`|ab}Loelsx$727lm
zeZE(rc)jkIy__f!-P|2b-ZQFMSxU)U&Ej`|N5yS_Th~3xAE7vBpd%B;_%wTQ??WvY
zbYUH7M6BCqniF~d%S^>*p6tJV>K9g#1eJW!rt<HkoAVYfsge<R0@ot3OgX9C%7JL!
zkzSl>Z6cpRg;UHWuFn|EOeVocQ7yIPiY$h9lU8<W7A#UxWLdJp3=q?~P#?d*Ssu-%
zc<7-n^ETZ<e`0Pmc!egO=n(S^6EA@P9%L_Rx3Dj5QVYdakH-~bI3YeEaH}Pto2^#7
z`Z+?;D<?yYZRv54RyxI0+tS?cWuVpPMnTRWI1E`3qvcPt6HCb(+e8I2bI`ShU-xGP
znlK8_d}U?DWAHAD*W+~|SH<p9j22UWjL=o@+rkye7jpMEGg1`=3U$C^0^j$>+h@#W
z-}lV|z2DQ<#a|{Pvb(3ZUC-2y%cY&~;BV&BPe=MNmo5QnE>N+bZ?kgG>COzTY4uTR
zS4@R4H>m~O1;10HDEx8-@H|p(^|)PJ;$H>sNv&d3#+Pxr|2%Z~Luz0zzY^nAun*@T
z10rQL#vZ;srPot`g~JMS3ig2>PP>+bMdAHfj!Z4zCV0U)v{;;!0ay0oBjfX<#!(Yb
z5}?;jHJ-c+qi=DAm&n5O>x^}*g_Nd|K5Jx{o{E|ROep$$Q&h1WRGtOIGS?^1Y>76;
z&l0!+G#lIEc3%W7SGFJ;x(n0WUWV+P4{;Yq2oG#azx{&NYpkAeyp+ELQ;ilAP%f@W
zie08t_gjEAps(Wt%Kk^52EL*Hf;=vEYwOq1IRf$QbpN(?-r?+~$J1I;7vc*MX=51j
z;v}F)&u+7n(7{16hdOZ<Qa#}<xz9y%zNBg1xGNDz+X5$c<5OV(el0bgA*nh})tu~^
zRK)G#%h04S{pd8oSGCM0R2%!(Q#_voEfu<tYbHtS1X$E7lNc~8ypqpbiPP9lH7ivR
zy0v^ydB5e)9W<E+(g%p3Z$lIG15~R>FQe0$_zH`Us^DC8cFS1!l~B#sYHEGHc~zd$
zjGi>KmyNB#t}nBq^8wywoE$Lvj@{f96dws3GhgpY1Amv-<_6{lZVElUZiIOCpTm)K
zA9wl;Q8S%8+(|Fx;3vGjg_!XRw1BCP&fdPvH+vt3gSUo#ngeYC8h~Je?%zXBTVTky
zIz%z@!1Om8WuP%D@-*zuBj}U2`bQnF2CmHT&LV`_&03`#C1f))_AUk98H6Ml0dqBM
z1H1rHpjm?OnI?8_>s?T1a0Mn4ETXYN$PSMD%5!q}AM%b*i|unh{&ML16kus`%P(u4
zx}Rcs=H<o)u?`(P5m$LbXFxvSQ48FK!Wf3U)-`nLbM#7K+h644xqVSCjC459Mk2rL
z8|E>!1^V1extuUsY%>Y<d=yO6vM#%1A}E(FQVat&q5}h?W>Wx#vg%b+BPMvNgN+mf
zdr^Z*ObxTIhOPC_s~vY>zk1*bmF#g@FhW)JnRgy=N(LkS>b#NVR<mqsfqT_QVN5^w
z{s^&hM?ZxemZ{%pnxrcrzX2I=K*m_RRr3VR-lcz4*ijRWF+s(&3+el!H1u}-tvyVg
zrUk1X%ezbNDsp`hl+Qm%-(0M~Z+4$ES$cxRtav<?`>-;DNy$~LI3Plqjl*6X9{3rG
zFJUlE#CM{>9}wUW^a#6U+E<(GVV|=?ybf4}yo^aQ7cu96s*KH62DsaI0^0nR)dkg7
zMxqCz(k;}SJ9TIUEb?w<!sKITGnEeyEp6>7FT%^75}<OEi>E(+id)D~U257#j1#0o
z6>!h#vv58WXCx8gw)^R)*Gs$Tr^lAy<63R@a7@56pz6pp3eqpS@))LD!kt)egl%D|
zLN1%dnHO{m)=xMfxW-mmHs#7bs@*I60Yb6>ghIjmGQHaanukDnhoc<!>AO(Lqkb<?
z2v+_$O;K@!zOXj(6l+(4wLIO!>dqv2+KlTjcLNOe9O~v*3zf^8V+_sg|74$amRF;#
zj|Ag#Z{dEP_^8+-<x)e#j&Gh+4RwI%q51aa<BC>QcbB0Fu=+^5>Mb&2HC47u=-_vm
z`aPLTF6)ovaVdl4XlNIF-EzoMO9=hmy(MxyZKN2U+@=<WxoXSf$9$u_3NS}Q{az+U
zF?noO5^J{UMpR$%&1gMYNuYJ?@+yNtyDkPIBpS3%18G0T2Ow@Wr}WR=3Jr%}9_zI{
z?Upo$BPzS7hU+5zYPwW<VfH&ZtB#UxUG<~zHL|wpo8bl!+6E1F=U9IA>aQ;HCwe+%
z!0p>?lO9OG&;77}aY*fxyq-05ZCZz^NACIp-2?X$E9*>bv>rFbjD&=hD#UkGd%EKV
zQGz8AmXu%Z4~-B+zjd)ZwEHIfYwK_ka#8ps9CLlAd5zU?)yXckd2&vp;4#rBSY6m8
z(l-WB>$P&jcg8nkr5I(l<62HI<hU}^<1nQZZ<)`g_*q%X*8J5dwNN6G0CSSNjv-1+
zTzhJ22QaMe37~Fk&Eve6rzV_9Pd1M%<E3~WSv3FTisM`sqvBvq&ngc3#W$5u8+|eC
z+J>wK9I-B^`PL8C<?efa2kMJ&3jAOFJHA&&aftjPZi<KuuG|5<o_mn)X@-RH+ln@8
zj^rQ%x46^dEst#(!vur?ALngzwU;y0z*N6Wzxle7G?*TOcrQ*36KTul3+X18rP|EJ
zOZSZbWME+hl){+c02@!DK!`Odc3urjXC<^WLaKX+-^esgzMO3Zht6;)h*QNm^tqy4
zyJ{f|dR(nFnwGE6T$B^FVFvi=eAhn!GW_5?_<RcWD8hV8uA6hMHp1&2olcCj^H^x*
zYL2JrelAO&r;2DK+!Dx#wSwP%iJtwI!h6#jU%xsRDfXbVG^pFA%a^E)86MLGH_|zM
zMUo8-A!jTH)@W6bR56t)*HD7GDAPOtV(1UK8C)^GU&K3PqZF35M0?Apwh5*>jF$eA
zO{wEAhBK`Bi3GuC_$F_0?<GNG$Gbk;YsY^F?@%sb?TQ3ves^g};f0Y?aNGf_k<Dk7
zpy#kIaa}FZm{J~9x2E8o@3H_~KOmX7f}b_2upNywY*Sk|<*CXutDu*h!gG8L=JxGv
zc~==vfkDQNNe;V+$C5BUV6Q|co1@o7ptOQH*2jw~(4{C@n(_A?f9>Mo4qHaNk=^()
z9g)awm}^aBX7khD8t*w5hMD|TwB68WOdI#>5EfWacdfcsI7Tzu(b59_g|PlR28Zvq
ztS8OI#G|B<aO>_#(++7ThN!=j0iDMjS-)YPlS?XnTmx3QwDvW_y46h4;r<(K>n<Lt
zB||0XEEhvz`|}@jeCG_%n*POy*E~I`YEch%WLPWC?ErTzZdhxrVc2(WX%Q~TFUhCw
zmF)v73gurxQq{walqjQfJ&V2k3p|+(_pLeBF$=|NHJ9*#bf)DiD6_)b>;prA!Ysc$
ziB)L`lvQDUIJLkWa@-;3uiX<!I@(1XZ|+R*{!4?o=DYUFTmhF57cbqMVLfn&b;6)L
zUC;-u^U`9{Q3>roq}3@DZXR_5B@@n0E#FIoFsatdQbNbZPh=cV<EE733AUgn|73>;
zj2Jujy~8*(Uh4m}z^sMZ5#^wV7AeLYoG#AwXLxC@ab+v7&8qf1OSY`s$Ow4S^}b=6
z!+&{l-M4omPz&;qKBgY#u|x2C=kaSn&|}K>XKdAp_9f>L?m`bvRBP5p&B*fuBSZWr
zYf{}}Bx7xOah0wyrRzX8?tm2yF}QV=&$i(ay!G|lvqvwlz5_}$3EBF&$2ekrFIz#n
zwziQwB{V%*!>5(&y!kCmJtf!i(iYOSQgL+T*i;o=JUWox50ivnCMrL^<aw*)_Ht6g
zJ9>cAYlnnW(F(QT-aS%)lJzjNusaRU9w_kD62ZGK4S-Bz$D6Q&aRx>V_S{o)AkA)y
ztW1G3$~#fPEbCqmGN1lwi{mf4C%z78<>@iC)e_Y|{mDRo=7_kU1vV!b7ml7ee9p&V
z15j#bdQz@if7HQzXq1+M?ktiLeiMOE96m8#_%~ZxL^%;EkA8{#y0%A(-4sZP$wN<3
zmQ<odA_f|1m5G+H{7;y+`<QYtz&vr#M+AUv*61OS6qG5Jpy)+G<?ocnGLzpx%3(>|
z$ICRgnmK<cLO?GF#8~4C;s<A_?6$2FJSzw0Ai%e5>YRIY-L+SaRplK<fV^}~r;;fc
z`fRqXfx@-feM`h9t^j}Pwdm_X0y`juRv><#X0v<%e}ebCze%3^&jF4C!CTbS7yfx!
z32et<<hT49G;4VO|42Lw>p)e(BIYD9147x)RiD(`!`pJ3-TH|UIF?66nryLXm=P#k
zFH`#~Pl$qj-0M$BqE;#QzsZ$C4NaIW6=hlv0cjg4R5zGENw_NK5`?M;cU(8FM#R5k
zuX6t8pn7aWv2c2>6PDZtl>eoY{Diu-uNa8C^vRnjrDT%oj-)Iwt0|-UTxoF_Ih00H
zR*N;oo8QuJvBp?!^4%#t<Gt48+I}m9jLs}>p0uu!gqjiz_XSK6t;#i6Pfb>5|AjxI
z!3{<9mQbn7Mbo|c7h7iHXS2q;F{Qp9aTHd+-0>$D1{nmdn#6;iVClwkVussJDb%v4
z2Vdn*d^d&FXss>MZA&8<>20_xqb=5_sNT6DEC1NB|Izj%1@mI@VzZiME#rj;UgeYN
z{KCs`O=rfjp-@}OjlWDSm6d+^F*Y?>hJeu`sWRob-l9;-#LAbtNW<)hDh<}c$RUE%
z!d|<!X$`Bp2x$(d>Qh4PDeb!Yk{<Z;Lv*hSOI^v9YqC9}$?CcSTdM8|CS^8}9=%+~
zVEz7sj6EE@^eWUw<@oeqA-(i+lFT_=f>aA1xr5Hinbq(1^<$9jI#*TB<3(KdidGJO
zYb857IiaS!ly{aX@}Q(gBy0trdy%=?J+*ku?S25JTa=5U_ttmkdIzA%0x%m^O_cOQ
zv5#jf|Dof$V$+t&LHq84z2To^mC;q%1KH)W9;AK$@wcYf0jg3fKAp~qNL67n>erf<
z5H*OtX_Duu=!dUA+c@#8Wre%$LHW_Rljk?_Xt^d;j&8Q1PCe{8Lj1(ZQ4N)0o9LfU
z?68rlB#i0H43o93!i#yzmQ;=He!WKnX@w#D08oeXDnUN7s>?rOS8;Pf7pd*9yyO83
zI+<*KCsx`A5?5Xs4^+&pGE@u7gv;!E%HyEwK^`=^#G;2@X*^7a`NPgV6Brj(w_(57
zHnVBmE<_W<(rK%kBg7lF!=B5&^E@JyB?VYmsiCi5fm<@jEM>1bduwt`U+2|AcvP-e
zuTYre&B4kpdZT3`rX8c7xvY5K;c%1{Qjot00av0{+_{Bx-k9d+{~4A%FKcR6{(5+P
zkr<a21Kz++Tt&tfhI-JaYN=Ayxv#&bI@!1bpS~f%z`nng<zV3)N5|GhIKaT_$-%*t
z|6lJF`v3J_0qsqkF8qBx*QFa@wEpdJS>pUP2Bl1!nHpRh20QP|nEJ-Ct!;5rqtC*u
ziJJZhzBK#T3aqHwL6r$2yS*^@4i?!mFfh<Cs0%oivyWe3kl$awN|C%Ik9D$dTSkS^
zDq+tW89FxCv|Vg8OGk0i-0(ND<<y(DpjV7|IrssXA<u28btc(4<fc+?t&nl^MVC~u
z#k26PDxg{cD2}Kh%zz&R);R|fL=NG+_YsAEvP(ParI>+As*h0bn4>Zr1*P|6oSOak
za?541TRIPor~&(FWVxj>`AEs9%riH}>83&Ltj%oz#lM5_iWaY*V2@6`Mwpcc?1bUB
zIm|gwuf~2t+C;g>dlKAmE}H<@TR7Bfc%~><zm&Sj7X#p-<AE`8n96Lz6?~HHBYb?M
z34bR^WeF+j$qVUts1;GrGN(A5RmBSi>fO6bigX|~2$nng3h|8V_ro$pi>1o4%sw6@
z*M_xA_yGrme!`6n>CWEnS-@`PVXZ_UvnJu_Jt@NV#B$rMMy`IH?57T~BmjD8$Qn<4
z&vL52(&GmKEG_Z;`a@K6Mh#NMy;IOD|6RobvA?SRJ<-*Ij;cBvn5kurae9JtZm17K
zb!vD?d%aWGy&>@-8-e52VIUeO3A<G;=7LdQ<_H+<l9b9kYB5YF9E^AJwnGuq35)0+
z^zV~4wOsu|vR=5Ku}@D=v)*xSe04=60mc&3#;j)3Xuj$~bvy=9_qvchLUk%nc`JhB
z4g&KZD0?(RHYYC@*`?kQy`kHdEYL#ybx|mQAl~p_1122DBGFV6XqUIJpwKM|qpQ;r
zzP}-@Bg85Y99iF?PjJ;#kix!v3D>RMgUwHC+-|$EU$r>b<jX&X=E9p;u`Y`J2rZC*
z@Qg~zN-eyh^U%h%&V8udpBz&($8G;$Ss#OZc!Br%usY#c_wIf_yuDhWJ{?>3o(i)2
zmOewi1tJ`f#ou4@pIUBUdSOH+MFN}bH8J*h;yvbmT9pK4My42~?h%@Mw?5;UulOdQ
z&!`0SJWrMww2&k9!HPzKq#{s~-9iSD%$o#RfHX?Vf}=EJ|9*%~K!13p_@R{02vau&
zV4(zY2o<mFfsFwi3cWD}90YBOhY+y}MOb^VrxguL&Pm0blPUJc%1r{(56C)E?pc)6
zMaZvQAV2A|ibT*#N(*33Vw3SoNTm+=3$9vqF{4G;WTa}isO$6+auReE@NmhiCz;82
zVPCzcOT;t|wWSkAj)lI2$C%HK;ZAl<lc~mV-IvV}#X~i+?p(;eLVwJ-EP8wUe3ZX8
ztO%@szm#vBzcO`_@O_=H*!SI^9n9U1EjU~szErLpg@cTpIY+HRni%j*#7hCl#Xp9`
z7RPX9qE&)aa}`p!hlKmFP@TBPhNzH~JdphnUf#D-797Te`1l3iUS@;@c=>(6{qy$y
z(nn4BMZtMxQe>pdy<rHm%U>WWX!m5C<g^R+yx@A2O7z^4s4&I3G5U%sTZg&!hs&JN
zifE=>2oIWrArO*<xv|Gn)@H|OMpDe;BeBRAv-d?J&IDqEht?dbIDQo8$vdyBX9>u|
z=)_DIO_HFrMSb~4z7NJs>3&U^(C3YKbE}|j^457*E{R^x8}m~Br0#jLoWsVRVHPuO
zjbK3lwcBIDZHT82`=PR770TdI(^C3Yg(q7RD-QkzPc`~M%L}LGm$b>Q!W0XO_gKD%
zR*~|fcd*SW)0plHw~3}xVu5s;c|cs4K)DNyjWO{vc}_g&P9oEShdi^0`CBdm2K;s%
zp9U036N)lKIL;tE>J_hsg><JQ{1(eXj4|`nV1+n@T1?Ynq1sO?QWbtnnvHy`ER6J1
zP#WuilrlM~^pt$0U51(<W9*zg^Nl(Zur4M_Kfe>0^47N`Dm7-gWq>6=#KnyoAwmpR
z)WiS?6H%O_^kUg}a>tM#x`el#?Vf^r9fG4b4kdiFG+{42JlhGugN2;=j0r=^`rxf=
zV98%;XJz$O>;GEk6AY=%{vac&iS9Gq0f{0MljfP7v=}_H(Bg@6OV^x~nqiCv@P=?E
z;A@&V4Iz3iHg-iob}QL^3ix=bFAu?;JVO{pf5DxcOBjABck$LerX1Q}lxivBlyQ$c
zV`K0=0}dsFJx5L0<(<3d6cum5#&U?H9G8XUZY=-}(y(%%oH_6YZ;e@!43R*6n7s8x
zx|gby$U&np(W>X9JyN1rF4#a$A|P`{#%}P32@Td6^BaS3Q|ce)sgMBmD4CA4W(1}X
z8gld#9hX$MRZmqmCCm0$2JQgi@!0>gxDgbaI7P11QOU9t9i7TID1UFJEjU(XSo0LP
z)`xU5weFoCiIZvLaq)-Gcv&}~o>!=H*4D+%^Js`r2zf1N?dW*5K_^Cz-L{E$OLIv=
zg!n?SQtu+f+U<-sc^UQm$haSh%y?QJjh!_0iphs`!)xVTYf7~TH1H7w*Qca1)QYt=
z9R(RC>D2!&%e%bukU}amsI8gT+i7y4bUgA(b57=D*a^aKEjm*7_)!m3j<nO69quA)
z8DJ*NFosbY{YNrAg>jvCcD;@Vf3k$P@V3x?JfbX}?pJxgheE`)zwQQrzir_PYCMY<
zsh@u=dAC?QPcHufk&EE%d*}a1lEWC}&KWfQ>|!RST2VB+;dg3if>2U3BN`cIiDG`X
z{csbfGlWu!c<l5v|B(yB;(>&mb~KK(SddzBMdwlM;A2j89R5N3Ks#d#xeC!BNyaih
z_P(u;%8lHJtXPCTgE|Pe!?#ZJ_)`Yt&2;+gbjj#lV4s{j^@?;&@F(>-X_|^4tnZ(n
z0Vi-a6;aH{0RIrxAQF_ufY@-aoB67es((OcV(Z8}ig|$w!|iH2-GZk$cVxmZE$N&|
zZF}7S!Z-*CI_}0niga91I8!Cu^J|)+xZGz4aRDUe6gg#oqt65)HZj*>ftI?oyKrbQ
z+MP~tEm?_9yb}9R_UG(MSeR}jVIldk4K(K6;BV;(@6pD*GrKHwu%`A0UWl&VoBaIH
zwzM>Wp!gxfyp@20y@%EeCNzf{@JJanSPFh;Ms7h6$QHhK<Hnb}b5$P}Fw<4Ps`f7e
zh>k<xKef+1b4MC|C6GEYOs2Sc{KOn}3Fz1*j#)A{MSh2rop{AIyMn4nVWtqAw&kyj
z57xXsuQE3)AArLJ_I^<_jKmG?2^8stBl?cEDt36vYo~STK=v*3Y;!Ps`k(Um<5|;T
zMXQlfI}?Y+7njuoOD4+QkIS3VXutd;n%sF=C2~y(%!%|v?9u(uzs$hLeB50y!U>^Y
zC6X0U4r0t)i73?wNt6auRxdz!kUJqg=dmn#LOK8Fhi(%uU24xt)s6Gj-9`UyGpsIQ
zNNz6IId&kvK0UZ=NZDpW0f37d6uH+wxs}z!$1w7%8Nb}V&D=JE?Z0!*=|*(&OVg(G
zibF-SajJz2R*KDb^^a+u7U}Eha~P=Ll}$kH`qX@gZu7m<&K`Ju?iNWan+8P^zcU#p
zpAHPAx{RpJA>@AgKgYhH?*3exZQAg<*|BcizWVxE9`#XFwZ(thHML5bdEA8cjbmXV
zG-xTZL#rL58>D*Q6X7Q<G2@qIca4!gbwND^Bho3N$DgY}!R@BMG;-EF$mR7v0D?e$
zzc9;jZ;*!5`$ZE~DXMz`ukwyMvou}cc**K6^a$twPLj#JI;a{1>7cicEoK#Yq0u-B
zN8?Ijt<I1z&TyJ{dcAvfQ7TZ2MAxea7_eAT1%7q<q<E2S9;++Z%_kpVm+vO|yF|!Z
z%I1oYb)iXppHVC|saNl4v9$RT@Z}G~dq}3eFkf{i;}ZI}2!U(dKMLmIC@4<d`%!d|
z29xT5eDxVH!Z~!Y#vV!rd|Hs~JFks{co^ZdjmN<}Oj34tQx#V0U<2$?bcw-Y-ref<
zYXLD^Le6dA_e~2|A-@h+rK*qDL6#pRgV}~NMVqxUi|Mo_jJzVt{Og^^?<1fWfUui8
zuJCPES5E71H6t94@-f^9@@Pv%C?BWEHHz^yg3FKU=QaD*fib(%q>phdE=xdRjLd8L
z&TIT08wJPKk3Wj;endWchl8s(!4ze){vZmn3|)`I!5Gnbm(hD3U@tZb&^(A{7%pE3
z;#+iuZ&~GGf-?muK@Q)9S&pv9I7R{N55vO->dy$)<6w?6gl~dD9^IlKgDXDLVHgML
zEk{RzmgHlcUWb{y{s5^X_}^)e1{3s!-(7LXP(RG^M5)I9e0j$OMV;ReLhq&^R7}z#
zPEnpPIB++EHgFrNP6;{whJA$w+%&-m(nM$Sq6Z00V92gr$>462FwamD6N06q*#yT7
zIO)2N!+6Bd9V%3UTX*<R%G`Z?5zL~TGadF84l^MHiX_4v6X|S_Cuv<$w1L7LPcpQJ
z#631!`h?16Q=HbJmXtmOq8(;U2?^~fjPkU}B!7%>UcbV(Mi*pieFxyiK?dbp=A?$w
zjJ9r=UDGC>F`Lz&DO_1Y$I|3TxRETFSoG4H43;nn!h~0&aE@b?(0h(TD);mUTmllH
zPx%<fpU?#7<AmL@G6-S?DwzuOhMqn~L6*%X{BjjCsbDVgD|X6f%a3<Vrq6_Q=LyPj
zmN(VfDI3L?ev(8ui0{yuG9KEFUgZOud<ta`?kfqiGgc4nv9{{HEQ0E^=!YNp9a*d@
z+@3_~MQ<Qei<<-m>z*>H{X939I*OL#V+{-y(V$w4UtR+WBgI(~%`r++l){~eI*%Bq
zr|hz$evsiIBAPq7W-5R}+ja728y#L4oqigO(`161Z1uDm1sT1r?-SyS+bBSB5^u+|
zC}L98&{PY(Zb{s}l(MTF`Ta9N&IoBBLN%Cj9}!cO(2VPFxGPIjOR^^o2}U<|!;ZVp
zW3KN_NLuS4MnReew|x9?y%ZU`c6$zV%CY}TCXmd^X9uO<9q(I%27kVoxk~p0TR?FJ
zw4yR~Nv~=YNYI;>Y=~29);cU3ufzypLphTK`%9)G!(l86pP^mdgE>A|2b`STjj^GM
zdyIm9GRuLI*J&`F;vrLp%)AoUhuJxLXA;{i;_5Ywb3DSS?6x@xZcdp9flKEc+$6XO
zC$kBPXOliofm>W?7!s3!m|Qdshz)0VMcJ@8Y69Q>tv0S8yNw4fvN`py;E@~Y5sq;R
zy@+ldkR3XC5?qP1PG}F+8EYGYXj^U_U2is<19?U&GpkV}tzE)pD=*7x>+)CGT({uz
z{z$=a>ns=g;}4{w%^mUo*+V<Tq?EM$Zf}pCU@O5IWUH=r@cz*UCz?xuupAZfRWolo
zU#HP5g^N#pA-sD;qzOR6D)E&J{O{<z#)bU6hIW;onPNl>Oed4*R9Xq}lf}g4_nT3h
z7zYy!s!@=-R1;@;8pfkLXyz7u0LX4=({x3cF~^wAxV32})=MRDhXP`Ord#oZah2kk
zW%&Y{N6dU;zEyL5fv-tqGY(>U1)rm*h8rYjF?D_dVvmCu;hO=T7AbwF`rW+REgbxW
zc+KB(?0<ICQ)gZ!YBrlcZrO%Nw?n2<C^tiJaU;R%fa{PwR3|gL(hv!y6R6GK(cbHM
zkd81#IRGnVnW#Xu0@h4*#Fct}=2Q2Ep0Y+kjv^dnIr{#K3FQub|HW3wb*r;G(460Y
zAp^gwZ#B>;A>b4g?>?1=t>%FKW=+231~f^G@lYU@<6(W>dpwNC1UnYh*6YkfHkj{e
zJ03{)0bF~FEh@l0n{YL;e{#qbJUE*)y&B!3IFa)ziBSgvGMdr~bB<{s!j(kaS=w-P
z1z9zE$*8#e6!c4;!Zo<0Cwj3e<OQTt7p7TG69eqpRm8{V=p|1e6-BfKk52?77Q)lq
z6m)kHgpm>#u|I;4MJ$Bq#ClIS`=QQeS3~nA>yB0;0JLaA%d|*Z{M{)^Ko=J%MS~z8
zj8T2icRQ7cX_+L#&FdhI>z|lJs=OX1IE(+1qYUE-+(SH@!nMd6%|N^39H$NR3H`+O
ztrN;ZslhhlElAE0pQ?d4iq;_91l@uggz27Mz(hfqQ=~!VD4?ju_$G&1q~DAR2oV7)
zR(7wg7Mjr;fzd2xV^)KRAigDbv#C!@`d2!`5ObCtBNgppwRWD)T$Q;)?BKipz~%nO
zWfR^_aI;oX|86&a)p=1oE8KIUY)0tYwzQ;WWjc(Q&5U|CVU`ogX41y|YdSifUJ{Z=
zg)L8r=m)9lkPt^GC61DGLTDIZxd-4rSdoOtfGaRrE}UvEJ?oUfJ8XgoeWI9t5~$L<
zmnjxF7>rSJp@4+jorSBVc~=r9CB<TiBig-Ef&HDS05xjLIcy|8`Z!AB5g~7R?uJ%(
zcj=5+sJ#m_q5+2d_H>RD<@ZUN+&Gpyc+#4OSt28o0B|KpDo2^I+l{j&3$i=0R5Oi&
z0j5`%55p9)>hV0GCo>&rUpVMn<^2K){)Z#+H%I=(r)1((Auf-UbDqj)$j9^K3TO5_
zu%R-Rg)s;_47A#XenT7WA>sIn{%Jo2PBe3{Zf@(mzNVyt=`^}!Am6YGB#1ihUpA1#
zuNH7wuaGIKix#F+UhDxX>Pt;=L^vnT+3|IJk|tA}=C^1Man~O@Yxcu<ST|ps(9|1k
zRcS%KQWMivm780^MyA#1!ofAvAK(<;8$l_kMtCCqFWLTyQ6~EY5I%8j&K1^z`ROt>
zV`vvTH5UW>o@0mh(3iUp4v`nM$y1Eg9Jo1aGnfzA6c556LW3Z~SrhrLHB>Rrrzy^G
z3}lB$UG2#|`<+3soIr%^SunvUVyb~ZG^_-40fxwx^5-LC{3V8t&1X=aL!1rLuun1j
z^1m6z%8a~QknR)ZI{)S9E?Ul*=?Z3fG70i<054(Sak&kW#Z}u>NZss%(0ZIEaWbRa
zQx=3AdbWtPN)A6jgCwP|7#V8lv-Ld-W+@xx?BPN}U%bFmKY;^DjXvAOd5eb0TpN_+
zwwA)UbMxG=EOfxCU1_;AJ5^<>X4mGZ^atUmspg5o90Y?gM&fNU)MnS?Srn-Xn5tIT
z1(xYAl|Y1X^(jI6jG-`1lWCFaCuP7Os)qjfLp%XQbe-SO<BJi_?T#AU8MGrj;`D3K
z9qv9u3yR;9${%dM*@pUET_1<N(Lg{J`yr~}5)!i|Z5}Rgd~5_9OW<;OyCjW4UmU}n
z_m~BEL!3spWV%tIYa%!(O8U9R;yo=xD@=rZ#Vr-MFdkVc0tHVllypRkAPnH&VMO;Y
za7(dGEQOql;8KN|<+6!CPEV<F#XM0-+%OPyWfMdgsXGgG8E}Kx7Y#*FpJgOD6TrQ{
zX5$o-^&&}|Y$Zim6jtH!7bdB+2y+Jsh*<GTd$u;J(>cU@E*k&xq%5Ri1$|7y43qdT
zIl79IYm}sDK+G#Fxir~U8qLb95RCw>f%?fT7U7#M^~FP`n-RcuWYc|#tV6|S75e<U
zy*&gwG=BKO5-={BT(AD|2dWUkiuoUFp`|v(QI<@wn9(9;8Sq!P*ie%TDX1u$^|yHt
zsL7>V?F*&^$224j0IUP1y#&bqR2ii9st%9L`CBE=i_GTp+K=b80#cGl0Cts3X}b_-
z#1{Mri;me;i^*0;9WW@u-H8^TEeb<b4J{QW!~52igU%9kIm;kmy$;eLjFaw6Tzu{@
zXM$QjL0mAh+-keCu@~WJmInO@(@Q=anJ*mACRndxS0bK*QxglbY*<*cmg#!XzYH_3
z6~I=3a=qaKZo|HFr5NR|w<_O3abF7hEre!{G;=#yOjz&bYgJ=ekv=VLYSM%=+Dssu
z12%-zF?QnS7x}ZN_#&zjb!cCKLxl4Z9IAWQ+AF=6Wl>-m;RL4;Fs8vk&+j4s<dCLM
z*=Yy_Xz?(B?m9>vHdwX2RPE_$VpwA0d;Ew+8sb3|q<Dx@91OSVX6AUP0gRJ)TU8HD
zbij34ii3>AW7nAP%r^GVn#hT~54@N(Ph?OU##xR7NNdkvX-t&RG-7ny)F6p1iO_iv
z$BDAyH<)F4GEvii@XA3lbPWjcXxtRAM%_T!Y%nH~C*SzVFZ%wZA*R7+JM$#xAkR3-
za5TqkDJaXyCtvZgvgH~$g+>r$E3*1YUvv@~k$9*YN_8cG032d?*(Z)kTs{v29S4d+
zrmZv)msaW43SMm|&B|wLGmO(^t8yVkZf?qGHoPD)5+gi^cQyiE4Uyp>{irEGVVRQ)
z@y1dG79(YniI=j{{1RP>a3_y^ME9r()RaU#!3|b9tiBrZKnG;1)E!TgVA@2zSwF+S
z&&Z&}vd*VqIDE|@eQKaj;~-OhCMo*F-UPxQDnL`5ry-sj631|sa)g3B$CGIe{ZVKd
zZqpRc!(^64x7)#Rh=+1y*GYOsW(sEe7Rpm?`uT_dkz|n>evX`e3Wfdo<_QXIEd(Z+
za%@C(g0G7*{dBh+%?n%nqT9fe7+WVx*p_u5t_@UO!y~N$Oqc_dswEGWj+A8us|{Tc
z{XK<VXzy=GUEfsXMg)=ag}v@gIka9=Z7Mr}vltx0mU9U~H@S+aS{N7|YYt;mZCKQQ
zaku(>sOp(@X*61>SJ~+u-7WA6<0&FWUTpCg;%SOm#`HR%FJc}C89hE0C8LqLc`1np
zbhV#@B|4Z^>M1W)-j^`nF_7khKa~^lKIC^YT}iaFK8wWQjJ%~1SBo0omFJWg7kPD^
zR{X1~?3EQC@kVTW8ge}q=CB73UQ^9qk)4SZ9t~)iXPP(OKxshy2)YRo-VU6L_hM%_
z&chgUM~a^Op_@wr4XW7j&d+ApxXObpCww<|PLC$gmtretG6+OiYytg{E5|Kx2)MGH
z37I_UqHPh<$*3GIVwBX1*`NCAap;?E41jZfh!B>!9D{KX$2e*_``~LPgcFKZRr=Y-
zc@RdKvT>Kzm79eD2RC@J>G8*{JMER?uAY3kVa7f&#FrpYkoLno4N~<4AAy{?Kq`(i
zESGTR8Q5Cqvz!E1j%-n-qL@z#fv5l}Es8OVg4|8r+Ym=X6)|)`roZd7rfEU!y_-Ty
z)EQG6j8_ef_Qq5vs%aPwJ8<)}^3r$L)+3o6)%2KEN9~TMUiY*Oi2Uf6z3tEepWwm=
zSx?==KzyxX5j9)AyRGt_{0(Kd=T<YzgTa+654;FAMf<iKi4QlUoUQquD?u+a1E7bx
zTNV>joXw)#SWj_mWTf@bo|p}`_&IoLp66iO4{>TIOGF1J#=(}<JiMag%Fj!lLVM-Z
zBm+onARH|H;RoeZWu2B%KftsO!*Ce?C7073nuF&lrah$HiONz@X|<ekt*i(~w+$8+
z6PGhbI7p*VQyK(F9}fZ+c&1pKx{ecRmcSNVq{)Pa`y6v)?;)8f4k~<S5sN%@2whQz
z#a0=21Z^K>lOT%F7)MijDjZC|Vn4WM<%W}6Ok@1Sq7w>{X=gV9!;0#G(9g<+HN;sn
zfaM8s@!~Avfrh{(&J(JX=|M@c8##rimk=Qtz*wEFrmmy86cS9Bhzw7;Jaf3V667bD
z@-dF<lWgRuLbJ~%8I6;m>`&Fl1e~P{8jPd`-4NEJ0R7rKK0+yGTT7@f%-jHtBjQvn
zVB>&C*Hz%M*qClUf%Y(Yz=>g7hVl$Y7j9z+e?(2Okz4D&?Cc!i^}`SR8}Bo@pt>9V
z@drNv4HcT4kaX>d9-MNoY#>4OJ-w~1$P1V9B!u&tAEQ~!<8MaLWB^;|hsyae0n{F_
z#%4!vA3si#&+l-*%TENJuwC<~z_5=W3zrdWM-=|7JpA2O6BIe2c9Afhq+y)PS<Kee
zne`=1n^D!HY6+L)27laWV|LHSK@diCH3!-Xmq^NFil@=-c?~4qMqk%mP8;Cz^;ATu
z&X8WGp(v=@ZAhs`*Fl&Ynk?cwK^1Sa=k}ioOyM{~+J|~pkfFl#h=b|;+Qz_C{Fc1i
z3QQPEUERAx-O<?LBASp|E%X}a?2HIq(-zrM!40-e>6UJ(&<EyT(@-{WZ&@ck6<RaN
zQP1@%!=m!kP#<Wg$?qBzFLM*o@&|fbEfR#$^cap&oWx>@fK!3eAe17b8a_BqLGxVt
zd3R<76~W6Bxd8`uh>PPlO`}y0V>Hh5X|~&Hjlz69>o*6<q%}!Chfx%?u5n)sQe33d
z3bSm6v)0a&N2d5yP(;(potLM_Z@M4BLx0ol_52szj~)N@>$cx{_3`LfdhM*x<xe_J
zBe*4Zr8CrutjVQwkOpFj;7hYo7u!<MN#Z$9b9PQ<j2E!Sv3^_yJSb-PxFu}rGX{n$
zLmP@LBfp+BbI?o197OV6StI+5wLRnPQ;Q80Ov59-TL88{i?pXby_PzR_@Is=YBqi8
zV~7vw5aOL9QL)?sL`^z6eUTw|>1MjyD4s=;wNt`<D9An#WSD*!*mRbS>jDF#f-aCv
zMdP~8K^5%5XTbrPy8|V+tJ)c=YmEEWgkQ5O*AVJfmUye-Y(rE|8VAu5ZI#jOI{2W{
z-?%2!VhEcX_9b*o)XeKaw-h2OE%KnB8ARCxlIBfz3m~cTnSSFTAY3^5M%iL4Tfyb<
z#&`-SB~aLLQ)Yzo^#IE51;{3Ya(7>InuhaWaH|s`#`$%UURk$S{&-&7HOW_matd$#
zxCe-9+|R;%c@Xw^mE${X51ZyjG>m!QPzl7<g;W;GDh}PvfWFgqNB;2#`i>RIuiRB}
zJZgsOopbh$iLe1OgDc2UHcn>IkY1eE$0$kyc2{D+Z%agCXia%v;vL^m(VvA8q)}jB
zTreDxc;xMyeX;5uq;$6_>GL9tMD~0Vu!CL{V5@~bO_Jd(!k^GQNJEGdgLx1}?A|m^
zELy3FZ>C8Km$s0O2+`}52oyuzg|XVOq0y@6F{toX>;IuFnWY2#hVDgpd-{6MyfLzQ
znKdWD^gOOLYV#mP^p$qrd0dxiZ2C-afc|`cUhAFtXK#DwwGWUJxW@f$91eGhq|D?k
zGDhu>e&?0D#WuVGte{ozZKu=i74)^8&DaZx3tAuehp*qBb_-fx1YtBwvEAB#d-k$>
zbavSB&#bn=EFa@IXSeH@wRDYGZS5Yn2BBc|8k9mBXpjmhp+PF7NAK{(kwwFB6uWCW
zIUSDT0zQ)#MO-GWig`?07IB!gRL66-#iW^N8U7Ux(2yBJ=Mx&zrD{1BoHL1*viVbM
z)QrY#<I+Wn@n@0Y`mKA~J3KzxMd!6g&F9TW=QXCyyZ=1v9+9GtFa4wa-b?>g_v6{&
zo9^-3vt6|F=n=nV_sBmx{H^=ZKRIz#e2RWlEAMv?{I{>qKECaBPd^?Wopn$B4y+4_
z29ME?=;uf7R=w`&Z{5?6r`><N?e@-;HcI_sJwrFQN$L>Y0_wVx46&|W#ABghh$;>z
zIGN=%IAqyyQStqGt$TX<@m;swJ>37O4~mOGNd>PI98jwmm|k2CijlAwm|4LS<9~^R
zC?78}d?r&L-yHVd_-CD$j&AHK<#_Y@heyBpuMhW2Ac`900Ht`pJ@S9^4`2K3*IftL
zf_mk^*_<ec?5b2D2S=}tj^7=9?4F(;pSlD=FPE(A;lV5o^V>z3*Ev2q>;CiX<Ka=S
z+ffu)X_a!kPfm}|jyuP%%V0X{lmk6`-6Mz`b?H=UpB}&J9ytIP)LRO83EqV@m+IhM
z*MC(FoYpD_-07a49Uf5A+Ii_8z393oi?dca;N#Q77l);D+NvQ1@N68WLo^N2#bi(@
z`d_=9Gv@%T8VhL9j(^nYzJBe5XI5BfejoT}{_EnI&59)z_VFA?2^`=Kvz$2Ri&&A9
z?$Q3?(Tid$A}W+4{pPUOJ3M;v@x(v%-*nHqE)C+SLtPXB6TB4ptH@DN4Xe`{iwe>p
zhZ6uHfx|-ld9B$Jj{qH`D|)H;Nt)!zAc+p+j3_${O~l>e^cS<`>aF7H65`9Vvy&c5
z@$a(`77euoA-z(Zr*b`60QY*s1(18}j&BJbo||<Clx~s$Wm=FmCIM6dA)NzX6H(u0
zIAw0n3iO<j$o4`kDYB#XaF7|^zWWX6tGY_nq&0`XCaU&uI=>HHGid+7D69L8)wH#V
zuqNsr!~Xs^VKxc!!FUDozCC@-PFC>K4Mb%JY+EZR2f9iKm%c)8--P0ZxveI-gEDKP
zc?YL?cmc6Gdtc8AbZ25ckg#C)?FbK1ALrK?Q}W|1&%O!09X?Yv%?l{AJl$y)oEio0
zfcHKg9vvKie0%yD2*_8IhuqC*vIXU4l8#z9-hSI_4U<9EdWZWh9um+m_+uxDb9}?@
zT6Qy;*0_g(rCq@ZKzx%6OWQyh#^}6;ekvT_w_vvs<Sf8z2Z5Gnw3GH?o%?Mp61FQa
z;2rL7<HLQKZbl(J&m(|-lbPj=v8(A_NR%}Zou<=HFkBC`0=2<F1T>{Y><Op7mGp-l
zeNl>o;Vqid?!E~h^mwA00XBiwM0xts{evJ6q7~>KLu<G(E@Wqpa-2@WI1uj|3D5-r
zPGiw;LTfcftfsU{khRizJvzlf^#`F`>@?e=<lc~4p`Pz4+flg!#hIfd_GHqXlk9zp
z-+;nKE~c8i4hpP^wj^Tf1n~ez(MqIcWJK3Nh6WrCKO9El*>6H%JvmiPUz-ZclUFQ;
z<dbPsr#rc`2KU)AdLgu+1zW8D#O{gao}Fg)zW<^(zWe0C5S)zs4X4C1t`^2M(400e
zMi}t}Pn>u9eg#%o(wP65(j%+Wd(YEk9u6H_(2Yx+l#PxmjHdJvVDF<=Mm4TKwQuau
z5hEN#pT7TcUX#$^#s{IX&uhSp`{1`c4y$*%{J<9->fP6#+U7c#+13!LJwpaOU7ESr
zTXdn(;};Z#{WM5#8`Ae|AVE!ZhxWwGF=)irj)N=<M=@NZ+o%TT*uz?)wOmtvdA;S-
zCTCIBN#dBkCaj$%S2$iyqrmh&d)*^t3=G(aKEV1WM!~tRRc#xJNU;e@-y>DvpmoTg
zJp^hmo)jo1$R;TM4hL83q4qTnt{wuV-*x?0OHx@7VNDdKVeabrdTDj})11QkCiK;}
zo>Y_89{rlg%JltVJP)F96=yx9ExE};;<(}0C#tdeq?)RZ!LNy|Z{w>txn9M-1u>e@
z#@6}CZ$MIQGfOo=)nQwdELxx7bZxfiri4~OMW8l=<yv2|;5aI&Fr2A$8yQC}6-seZ
z*aB5pRfXrscUpk#Iw}M!Z)dePYuK%;2ji}%LUN^8EHI8r8g;GNC#k8;LRQ~eE4P}N
zHO$sV;=<WpucJb6M$8rrS1lDvp{Hy?DymrstwP$1>lQ+k-cC6*QBQ^B-Y{YTa#piv
zO*!Z7Iu6chhOmfnY9(9Z%dxQQXcDN}4O{k<QfNgZN+=~W;Vhw(0!)xNmhxWAl;UNE
z54#S<(^#NA^I$}Kbzr6K9SgZ1c8hF8DI{YF{==@zI+WvLtTGZr9BRK5hI9Gs!)~#C
zD21jjOnlh2RQe)qbu`@Sx)hGJ4eG<Ld%l)JG4j$Mc3pO15eQP!>?u^*-Wj8R*e%qu
z%K%eIQ>;3d0Z1Y(6PVDPrGWJO^oL!CHLGqfiEP@*(zb@@{bARoP8Wip%wm_7Y@Ek;
z(&v_!^5Hau<G)ae-jlMWdD`d;5_#zu4rX735k7)%Q5fSRc++kJ4U%X!iTN+M6RQC!
zIe^JLV3ufCyzyqUSr;cel1Vqt(-3F;(Fo_tmGf}smf<KN0F+5Et=H-G&wGDE@9AaI
zP?O$-{b6fMJ=DraB%i?0<WDh1`A8Y8e5j3Di7{aK%<I?I2?XVb*hPCfZoz>F=NkQ#
zbAU>97KrRAch;aEez0qVvD@Nl;Spte2X17BDx8I8tM?{+^>TR3TE_TVg(a?CVEI(@
z76G-HYO~FD7fFih6w~)t_?F$d{sAQyJk^VtAgNT{vbrLTKNz>9-)W-Csb3VhL3xjJ
zGF|TUl5+Uy$bZw_Mdvj<YhL3%4u|3-lX1jpM-;Hu{2Gim{y#sq|8>^w?V?|Ho<Cmd
zFcH1Y^GDQ;K~UhT#Wc7j^z7f}7_Jl!P&>%*&woW2Dh*k}qDdM;V|MW)Y2ZU^--1D#
z$`<_c#j`PXLzh+YO)!~8(3ZsC39Vj#|Lk!C?L68cAHOuv&d$z<Emo)1BDw&b*Lp90
z%la>V**mY1l9oLe1vG)Xxir|%lR%a>Q#_mvaJ?Q31`T+@F{qtjFhD=;p&q3RQD>cT
z0Q05}bsFfrc3y-1=0uzr&Ck*x&MuO4LSJflfb+o^UO@X22XNOWdjm;=rcn^aaPdcz
zQYXB)-G*bZyw2?uTl^RUn9Ks4$v1^LxWQY&Io~WKq*t!!#wkWu_?BK+4wHx8w#^n=
zn?-D6P|p%}Ci;Tl#BTy>vQnLYU*s>sOPS|AukFG_KCfM2JlzhWaE|HR(5vS-&bR3`
z6{N{|?XS-Zs}TZHxaT!xD@f}yOJWZV#zC6ld~cRtZ2w}x7{bBTT_pd`Yj2XcfgV3Y
z{xn68A3c7A9{s%g_?O+Me?>3eoLLZX9*j%~?^@^Q=d~w~w*U3=x5x3@7jK{MJjTiX
z{P3qV`StO?evhB_d{V;#cC$TAu5pTo+x=TUr0&f$g(IJ`>RrK<Fge9}!{>!^RW6wd
zsX7&mMQVO<eU_&0AAQj6l(p0s3<mF6O`@3L>&^#zB@W5C84L!x>ZXQ)VN8|K9(vzw
zasd;@VT%LSTEH#bT5~?%*;pIsi&z|FILM~@<QBK!i}x%HlF2lIyN=lnhT-6f{Gz4u
z@_%a{vl_=z9fX4`2zAw3Fe?#yMgFOEl&kgJ6P}n{vs|CNlt>JXJ@kdl5h7VTM6dP9
zx5wn$fP8yGuR<Wr2nuzsI^IJY)_}gSN15slh=l^GfhD6hRW`G@q=?m1oW|xw809#v
zvyxYs-ql4aH^X=k&4xHr%G8!_-CyT|OQe=Iq(2)(KDW5YI2^$&!gyMrgi#b`c#y<H
zYb36_bIdz)GMuxZqh5zHanV%+X|VZJ(XpW~T9XEGoF>=)MJ^&44L{~t3p4|`#Lh7e
z))&2BLh+<b5>R@zZ*$xWKV!}<Jq)1_scl7jh85&ZyrLHEDCsl5l6<YdR|`KFli6(8
z%)-yujd_^$f(fQ+llm-;b{c4wMvqP0p?rrswx_S5>Q<9J_w1^V^{S7JsvJ)ac5jcj
zEAdokc^GBZ+Cq8O`hVHE{}%hd&9+P|p38RS<*J}s**XU6ixo7XyGoca?3UrCt58|R
z4!FdX;Hc-UwjXE>o6T0U>8SO^5ORq*ZIO+G6b~u3>gw1$NEwg(>9m*AO*6__f4xk|
zo&NZ}@$<a)_UQ2F@a)ikefV#Fp!5+vPHB{Qi^1cG7=F-mhXPX{F9(TZ^;iS61V;OZ
zJp<Ge3Q8}a=R@_@a7fg6RCH2Q-HA*p(>sV<Yn7U-1M7zwgRFPe)Hq<SIYQ_34Tx3|
z%|Pp=%q61wojK1sDn!CQ1}3lq+$2K_5M!qU#6?4_OA4mW;!Y#(wH9FstY#ALhZ$?G
zy~_lu3`H4#&fYpX4m0hlLdT`$RMX0}<A7bl8fMKH-{kxzH%&1#%PtC0`$Np@W#F4^
zdEdF$Zvjec62SkM{%2hn748agDZqhW{^VBX^-tnjV%N!pgkEXM&n2+Y@+$%jE6wrH
zuM2b_Enf*L#6fpCmKuQpr0H1uFT!D!?#^rGRnGEOEJt6;S9uS<W2lRgW1!uNY__Nt
z7Mg=o?#gx#vxF6D#<HLz!C;p0<1cmn;}0aC%#(149-+VUFT46x+p7t~eL7rlO!bce
z-$J7DO6`->aCZ1HxZm*p6td3#**e^1nHuP0zkxmu6sWBh^5OC-V(!F6yy6XA@Y=2n
zWqC5q_<eaS22PV}(k9H&jC4$hlZM*63MungE0tx+Bb#md^?Hl*S|Gom{Z*Y8Pepow
z_E7y}U&tNx1q?*`MTqp9;wDzL{-CJ-pg9Pls7@GTrRtq0*ai{gJlJLLe5Ym~UnD73
zt|w>NQH>I1ZViBS=*vRM;mR>eM)mWWbTHtRzeGgTt@aiw%QB@8ObN=FQX(Brrj#&|
zG9}>g`9hRLLVSekSX>I^3^rG2G8_+`en)m4f{~L1wG<t^xxUC9+I8uvl`a{Ue^Oi=
z&K9!C_XQcijTh?3KNi%-$_slWRf-WpF2CITGtA85VkPeTHQ$#f@icX~`loug#cqiD
z$8Hw4mOOPRWqsZi7Zuqq^^YgR3ap{}SJG4YBvSv1#9<9AQzM~je(CzI$8Z-Lxf4y_
zHO#CUCs!GC5lBH+W6#XxRZv`!C20RQq=$&s;%2F=S(l(YED;|&z8PRV#6$G`mx?a$
z==!A<v+%zHiBYYw&Fc~^K25URc$u54Yy15x)ml_bEtF|e<852&-N42hT9nNp7Of#C
zz>ZOeahTJ&KSZ}UH!S^v_{;Re*F&DZ@mcx_t6{GC2wx9(X`f*md<EVtr?qDElmJ0u
z3fEto?j9-&7SzlPJAk6;f)!nW2<LGBdOVxDRXV9a`b*u#+`u!`UW>P|R@!;ds~Te{
z&m2JpEv>t>!Qw`Fbz|&MbY;eO0i$a`G|eU_?!FZ$68e4}!YYzp7z4}K-WoB4n2^`X
z>$MxGKg(T}SdgS{aj@ryNg^S;h4d)(ZtvldDCt?tkF+`FqV38ivc!WmCSuWCfhoP^
z7F>8A17G;06)U*F6@;}4`vAoA(<;)*TU-Yjedpx>hjV)E|My>*`n{WEpKSST@Z*7I
z30z5_@VeN@RFCPrHVJ9=r@;7C8@mM-8Ws^_6^z?OFA>N)C1@_c%tbCOSu40zXI`pS
zTi0_EW~p9QJRh@EAI?)V6({McI#}R*UCG(4D(Dp_y1tluvKC!J)|V>Z;XdtXsin$`
zFdpG_nuamF9pn86DY)d{ILK_;)Ls7BcNVxNp5yekURR!h>a;4pfApc5jf2Nee+E6N
z6tTxf3X1J%!TDfJHyXZ8qXxtw<?El|63WpW#utfE3eYHTEvJxeB@425xPMCT<2k`8
zs4I9g0$pt6%cN6L1jkMDAdEBf?VU=UUG(18n(%gpQ+|U|qr5^pN(NUD#TXSoG#q+~
z{28Pu8gUY{ZKbEoRw%9-<wSi*UnlP}j1)%3Zgph+=%kWkXpV5+Q>t>nO?Lm$;jn?e
zpftGN@1D}Pn%coKPeZC*7NjE)59!Wp{0awWh=iQP(mGIzi8wp#IdaW7`Z6*Dwpybs
zy#mk*CTM9kMVE4XU8FsoehL5MCqCGHRGb|JEecX8{S*gR)!_q@jN&(&6f(*hT#*^9
ze=58<1znHBNL*e<ypiv}a7AM;ar3{$DN;N<d6~$H1Jo?AbBMf)Z#PJKhsTNo6z1PK
zI0E_`42&mO790@wb>GSiiZTwaSVSu2UKp!+7o~_OkOEs~=?;gYwv2+|8yA=iqP}No
zM9dxM$OjTxyg#q?h5h=VdD8N0;f9}7uE9{t;&cr>S5tl(V$a$apPGjkobCI`@Ro$=
zY-<3k``$cw@L}=rTWnIc4=TVL%m0q*bdUl;QdHk^guJ^})g0gC^(`xcT1FVqq5@$B
z@C7nam2+ih6_cw5O7SpESujgqNyh)5;hVex$7EoiE<K>ghwbEC%HP-Tatd^V?C`vj
zE5}0xJ-d+MTT}o8unS>C_G2<c2V0Wit>ZBhN~6To6A;BGS5AIg3d|AFIGqLkdNv8h
zdNn8i<18yQ4ycIu{I8S={I8H1dW8a}@V^4)@IN<`_+J6D_@A3;{O`{3ylUBqFj#V+
zWD}CCR1Q!ib;v|=tL%#~4x-3X+YeRW$c2fbq>UM5TS*)CqP(iiz$6*sh+n|5@bw>6
ziH6EcL5ePesRCSfMNIJ(A5~DxFa9XG(5MP<#WhD?(E1M>SR2J<28X}Cwq@2)+gsTi
zM|-o5J|=$FwE-un8un42hIXiB*(8&3kVt(GW_^Tnf0mCs;~<J~Ji_2~O_L0so{@+O
zo^YK8Hx?hpIZo*<^a8((nH8AgXU1Bfwb~Kk99<hEQHo-N+N{X%BEjrA@NZ^$kmlLD
zFdx_XD=fhOGSrjYnc$p!^-ucSo8W-EqdWBd7spfU?duxWCV@AJve_5<{)_pj99iu=
z)k5-8hPY#b*9&?#C4_k}=3LU6o1(+onDbX_L%qsa-5fB>L_}gjY?{04khQ1BS7z8Q
z607}kZ_jzHVfJSuWW`2ep+6Ylx{-7=Y1O2Gl#^W!GtK6Aq3<RS>K3>)=d}(Co6gvI
zZC4QF@_kI_cB|nK9qrtsOV>0M=T<dK^-oprwnE$JMfa?57OUudSd`^1H31BPEgu%A
zbI4pR!e&btVNa(k4oW7IARYo6w6{1rSP-P6*#yUVG5gPJaS{)Jts)>LUT_m07m5Ub
zmDMh)^OKXJ`HZLuc7(D5z%~i$01AuM1rQ_JTRc>!iD(j%i+d*M!uNup%XV#3(C#52
zi0ug&Q_Rt7bD_u{1HBE`ufCcvEAm5+7hS=7v#4ucD9)#A&|bD5;*ie?&c_J|`pI$c
z%qidxN4p^wKJJ>^I)P>;yBFa9+I1lzqT5ASNqDHV1cL#d=JLH46c1f??0cvX+&w`E
z%rE3?y51OX(5N&I(QG#1k^)Uc8?F^R1Z*d~ax#_{GpQ-5kzAD&%7jNrC7REutZ;^J
z+$)W=5=~|n7SGbiS^B{eN#!@sLot`F@T8o6`pu9K;tE+uBbJv1_HKLwTL8T4zEQ1s
zAdb`rafD6VYp8hJPlSUo3v4G*4fKDr693IgII|KB^u^e}tfc|IQl{c-<R>8EOzh7|
zil;$}d*LW1GlfT*2V{DNpS9=r%TKH?9pOZK)6u=vA+z7s^XjC8P1{W)Z}-Tsw+og?
zQ!FJuf3kFiE|T|7RuDR@o}^I1q@_ImRRY-&&bO8RR*q$J;lmSEQ|7$c@vBp?$^zMM
z7t@hh;b2d}Q3UgxR&h(W^ox`B-?>^U&nkO9uf1U#i8D%Jq%pmqf4<nPzU=u9?YRWh
z65?z&B?bu(2}^@~mSR5|C25$CCz%_>`}3M;w4L!*+d(u+vh&&pdiQO>f%GulK55GL
zAibUD$u3eWzCW+g#{lfS_Q4RBagdFz7UW?;{b?{9hVjU1!k#-?-EG;^d`d-rKN-O6
zI^`?y)f2rWw09`z|Je9m6U;`r#91n00iChQJb=rOSTGqtjf>k!5ed<TTfB;)9$9DB
z8V-X38%GU&=&l9HyrRSHmcFV8^pLKXR<ZDFx9%xk)xHbewsGrTXp0vy>BD5OO_U&+
zx=vxD>1tA?IGH1rXekh(NH^*?P)NiTfVh#Tz*Q|$t&SE@9BXtoELmC5)hKFL<!IRL
z#FNTCbtglLd8L0LYJzuRp-?dq3AGgv;tZE{&q+hpDw&kO;WWIsU21BU*ke~<{hw=)
z3o$F6`US`ecDV3)V7A;DRWD`CrSukM^&3S3x^#-SclhGyK56~}JpP;T|GEi(5S-N$
z{U8N@<^(?x!?h>&H<5H+?B3j!H_VmieMdN_UZ^~zNX?ym+vy&|u*qJ);m*XG`*{|3
zyqS4j(d$;KqCHfnVEARDdLDItUNfZY@5rn_>r-o0-!ZE08db{@ijLsKJ?G^6whN@b
zQ9eh{{Ij<`hpt{!XTX!D%4+f5VUUDo0YcnIw@|#-rCo|NfROFAtAYDom8~v5iizB!
zRLWZV-XYlvoMx*w4dG-hF>1T2D1!Rt4aM$r`>xwt_?c0DQwoKzTcaSut~F!h$QOTe
zg}OVILv?PW<AwGv6<#7%rT7DPu!a8kLuX@izkA@neSJn>V|I9S);-nVP$(g~e8pmT
z;{A31c-!rrxvol9iAC(Ln@F%kr;gu|%2SJ7k;Q)skwAgC$)s2`rM3ISA#I{)lC7c_
zMfHQh)hJD7@sKN%4~<$JOmJ4)eP7GRVODF@Kvi{;A+9xQ6jM@bLZM`}-J0ilUElW`
z9pCRX-unLA#v9*%)9Ctsw{h(I$MDVT`kkk3`tZ>A4`~TheC7MEXger?X8`Mk@4pa@
zqkXe@*7p4w0|^iQ;rsuf-(=tLlY9^upZ6(DfFZGf55VG`@4pj0KI<rT0FLaNL!7oH
zMDqKLHh~W)ARnY)NE-`!h+Zz+v}+FW$m|rrXq{fRO;SK@(Vy~6H0cOTUYaBV(#zok
z1b7DDpbB(nR1stJ2_lCSpw52J_upN<B%S&u=M9=0;~Dt=z!(LsEUWZ<zb9FBpg<Vy
z`~HY=`gY&<Z}$Zm<}a0cVaNAFM&Iib-@iVQ^?HD`^5OGu3ILEdXdd`}00pE<-Z2`}
z+VCOBM+$b@6a;(-Id4-UYBMKpH~!`O|B{0inBJ6?klx7Ge^QX}!9nJ00SQb|M0pJ$
zHEK-n3z8IjFfjqHHo?>OCVJcyT|mY-$j@s5sZnFT7LZVpgDh>hFi35tr)vQzH58q3
zYXG?cA=&^fH-P1OK^pTF`#x5Mer*B)C0X0|GsP)^vd$(3xI}liZQs9b%kg!pz%Ifh
zFsK~lP9>&`fZTvJ*#O85sJQhoXbFi}2lJNbZXMHW1B_i_1YfT^LtSZ{y4jq2u>oH|
z)3i_40y1p-ekdo(v$X&nwS9jifj(Ue&<zYeY5RU6@f@$FCB6nluiCzUC4oL)3($2;
z!NO^#0iSMUnth{*y#aHzUMvl|h}s^FQlZBU1V8H?#O5aG2Jl=jH5Zvl1zJW6nx<_!
zC+zNaDoZA9-=8q6N=64rcEG5Sul<FHsy)mr`&<kgZsX@}Y<k}&nXq163eYx?UD|+8
zvW_qvN-F)hO%VkucBS1|1IP^s*akp;J=QHUDId3e|FP6)^R?*uM{VDKB!TAl1=?G{
zv~GY?8*n)`pb9pC<pw~mmpz6+Xj5v;1Y#rM(7Iit-U3dCVus1%)_n)E2=UgdosAwf
z;Q61*HP%$mdNM%kB{hItZ_wUbAo08b2Vn!;+W^RQD})W;xybC(6wi7b=?#GVdal!^
zCi^;wvcw3!a(7>kKZZ<eZq<BqGQHl3xhatAmD}C|&iA@q6ac!Bl<r1=Zo~*|AXNBM
zu&K9zOAK(jYxS8nLYuEY6P=Ej_Asr?`#DQw)(=2x?s~iykeXxpY%L(ykqX`Dz!#C1
z_4c>{QZM2K{8t1Yz6kafNDOR5O>V#k+DP`tIX&+O^4<DVZR?Hx0ptdfGf=U+RujGf
z_N?2v*%Z$=0CF9{oB{IxY?f#P?Abtg@MoDn>t#@Hfp}xR`meV@LRH&Vv*ON1gKXN!
z?wt?mEs#~bZu|bV<o@)&adB^f0BF6!u>tOH3QLUx>oKSsaiTUb^!0+2QYH_I`F`ir
zlP8vpLs{?>zJa3e@FQu;DZUOrSq3t+uXxz<1R2!%dEfVc-j^^){rLf)LcX4O#__B2
z4_`l_C68Ol$Ur*{_k^7ll;aRugW?E>y7Y;+ugsE;IFF_efK5(GDEKK4)QO7p_!>d^
zjG_$a$g_Le$;V3zto&v)(df@Nau(Kx@fyf>>?4N)?eRX9AK&l%lcFvC9Z3xrN&<p4
z@I^UZ$YM!iK!NAcBgSHhoIHC7Kj8za7zL8T@?a{*KR?g~>2wk4-0(*sWq|p{c~D?E
zjGAw}i}n>lNwz^_UT4}-BoJJ(j(#>%n<_140A1&13ma=<@{|giqB#IXsKb0McnaOf
z9*hZMwUK=1sHQJXROL4b-0|Vj^T7g3PqCTRz)0;KbD>9+{8p@y;e+khHcsctZ<2{}
zZU{{W>^xXRuGaHWD4mQaQa%sGA!1EFr>cAco!B~r<U2HyXOe~f+gGGkQU;npZ7CpH
z$o8DE%VoFVL)kEI!jP4ql+}a>g*AmlDo6@jZz5hGi>*VaYF_)$l}P8I4E?!#=*G;D
z?W7(Qev3!-ptP0}VPny&)iDH|x){Rhw7ECwa+}~oms6=2JnCdHvT?Kcxy_$&EpyW@
zV1iDRHVwGsh&4WsI~-3*90N~-1ApE3{lD%jL-?iR`@a<4wDA1bB?zIl%sYy@U@$Cp
zNP91u?c0^5`V-xF)caEhuer!Oly2nf1vOSK8>GdUPuX<^%MNtP+Sy3lv}M<xlKftv
z2V15t_tnvQ)J;`*<IzY~gy%&P_0-I!>&5+I8@6FTX#vj=FqNi4emmw~pGQSVS{g(7
zi6$PsOv8u;L{zG9Q?o_SRG-K-=M1f6m^6*lJC+-6dr<!@_8|Zu$dh3SWKS-|EBk=9
zT5qlHB8*z&$5QN;u@(GuJ>wz}ca@MpMuL(GMN^P8zUe59MF*Y|7)tC!s#F(~OI1vy
z@s@m(ADZ@y-H};of6~x;R4GdHXY?YBUt7^wMy#Y!;*uSo@%>Jpq9b8TB;?SbG4CZ-
z^`fR!TJ2)6E@l~s`F<zunC;|PWV9zItrR(F=V=qyw6P)F?9;|f-%2E9tZk?z1Eism
z4ZY6^^SMj)w=ut=j?10m=zZQ-2FP%fLj**buOWM145Pez&oSFBMWhVUgVeo^yzI;+
zp1K#wq`uJH8<Jt@g;ye_0N={#y#PxzzU&-&y27K4U8IyAw2LQ;G3%ylj@^Z;R3;qF
ze1DzDN%$Ia^RDR(nPib{m1rA*MOUUInWRXIeJC?VtV|{Yq0A@#vL<GLDp&4#TXot?
zEkw=(C<61cZNt=Y_vp&D5&)QhZ9jPK>OzJByxOHxm9q|AO4c=>?B2(!{nAQ4w^y)G
zhWv1vXrY??aN4TH@Qyl*d)#*G*lq5l5${OH-bDl{wk{%Q0?dbQ_>rZ8?-0aiZhxT^
z5s$_?OLebxIxqHH$<N=sLU*rQ<o!vd{7&3U=W^C;%|9-2_T}L9SctXTTx3%i$^fCH
za(%_z)w#8fVR*e#acgXBsrNL>A;UM<Du5(|0Z=DR*SV@uikwHaqRiMVkCKMN^L-}{
zQa}rE_-s)`Hd&(k9jkl8kAVV%!$8TT<NJwIq3<hlpe9XShML>5*1j?|q`zuAs83be
zi$Qrb6C#!f7m?kiJ`6#ZGZ6$`hMKOZSXge-_Oh!aI@zv0n}$0byH-c4em4Y3JBbRX
z?-Qnm)%pNM7wml{Y5*XN%R=h*%hGV{eoCoLrE-OGsj&E1;sXv(6(`LEJ>91sukUv*
zDDeSBYv8>8XEhpgh`vXyzF61s;I30wen?VTOfm?`n2#cgDFm5@2ApK4E|E}JDmt8Y
z6)a>t!%5Fq$z>OEgi;CUJ}IMz%W^^!)suq<GDv_ABLLFjc9of-6T}G%8ml22JTUgH
zKJ8YyV_iNB=e(3dbFMjg)E*j(UWdA;Br0|kag)noHifw~b%h7WLEKobzdlC^<~wb(
zScYrxA-!4ISk5H*Q@42p=+1#QTXi*~dj&TgGgh^m{?hjSU!)%T?4FofF87H5W9kNv
zS_(VU>va9)Dr`qrBpSz_s-%?sm9=j>zJIIw1X@2&yGB1AMA_O(<iCr>4!C1%&EesN
zy0&CbrFp@+tlG+{F;xH5z{d9F^LAmzTL>fb0i^wAS4Ie8dDJ+8tZ{UQ(i~EXNsT9@
z*rPFuwDFaT@@g*2q;mP9yqps3Vr8LSUMN#vm?cIVCkG_27TX8FIU?7{rNbnruoOsT
zR**Jn*BtH}J)V;-9rIX6<w-{(K-nVY!hq0`I(C6gR+f5|=ox;zT%wU?nhQfqO<YS2
zTxvi)#s4$tD#!l-*Sen_I(_`L5B&kIbw70vU1}$z&tu=Y);-==hAv}Erk$Xr#7Bst
zN0YE(&U?!Cc0Mhlc7^X}0JrCSi{;;>;gSFg0?(EUPRR-we25h=kM7u(gydtrG_M<0
zdQsBi9?dI4RaImPD}QE{Wtu^i9|z&}UGURxiQ27D$o%)e70o0k5AR|4pzzZit5b!8
zAR(NC&)Z6f%TZC4wASC$JV&aQ7^Km{hW>+t=pv6J@bTypezBAbq{NEIa|>}Tx{Ws6
z&^0i4Cc`KhC%|lmZ?^iGc9q!2_d7=(r~+v(0ID<tazb=`duyRo&r<8U3g8=H#K%29
zP=wboIFI*z|FN+jIzA8z`?cvJLvy1?!`QvC9OJwrV^d1wLNFTfpS6Vuy;LB2-A<l$
z4h$e3=w7HLZ44(tY`wWe;tTyUho1ww>6rD6$Whq~=uyLF)K>t~7VNZ!=wS^lWD*YQ
zvuizg{i#)7Ri~!m^=OX9XrX{~29MM3{aeUyP+ttnqkEN%+Hw*?ZDmLv^{wtnqssbF
z*411a`c0~pj<5MoK4?H<j9Fmr`JIcj4Y09`5KQ)^jsU3K^_j8~<!(WE;L$tbq3o}1
z-~Ve{!RCb;VDGS6qmJ*7I%X~Ssnw4el^839a?xu&Q^)LeJ4bAWYSHRY;i48N=50m6
zNEe0;Qevk(@aPT%qXoMqU$#&l0Ew&?)qOZo`?>A=Kda4@2S5+2BgPfkLU}-1Jh56_
zb$tJ-qqI;ScvQ6;Eq-eI{!eNj$^+8k(rTf4-!82%U)S&zP2f}wtu+jv<)38><pGe`
zYQZLfY@s~xs5QKIi)zL@NnG7*c~M?|x~yqlF2H>#>xvi#RBKN}i3O@PqMLIu_29g2
z=SlmFs?y)vzW;k$fhCY*`plK5HxK1?6!%_Ml^D=$r{TK6H=!KqGufGV<|$b?M`LJX
zi-JejfuxH@bS<+Z410UX)3PB;GvHA#;F}HESBA`9v&UQI1w&>YfIZ~AWXMd9@F72c
zAVW6h-c7-fSrXYE^1Niozwi70?=p#cdGIiXY#5u*1w&@SU=R68$&i2U`2Nqzs%Q6M
z4B1e8&&(mSY!P$+q3c=K_h-s!0T$7*D8#19O$k+)Ljd26Bjou55embY>=+a}VM4*C
zi#_~jCBrwC!p9FpC=4H>wN7pK%f9dbBB%b&1L5+5+HNJAcD3*OS8~YD9|)Hhv}r8r
zw1>R&=hJpZSnzb6HjTj+Lw+D;d_kMG(p;W&e19Uj+<G8GuA0ki&!vPS^BN+B>d`fH
zs3S+ArZQx5MjPN0`J&yyYK9S@!#Hh};(e0>qKT(0F34i7^<~H2fniLEn|<Ykn|jP#
z4p$P-c*eVV(zUyh7{LdOObzxm8nzZhLI|E?T&@oFw7BSQyrJ%7npW%XQths%uMvFf
zsbf1kMk}#msOLtXS;xLik$mG@uS1tqRlWgifS^c&v2j9vgZ{cA2UreTqh{PyXs_vq
zr){h`z4pX?TA~xpx2!x6ow%S&$EKt`<mZ1r%V*^0F1u^=Z_L-9K9C_-MRWHt_77CB
ztBn19Tsreovj;Nd1zkE&n)ZOle?A@?i;r_-z=5yjSYOE95CX14VgN%r6FenMzh7-O
z0iiaHuK?k$ySBO$k_xCtb+fZJV-D1&J|$CY&e}}jE85Cavh-$c77Idc>f3lqZrZHP
z6h73Z>eEvev&`DeX@=UAMIN=kYoN(;+)-&lWeS9_025|Epf<(IqtSaM=Os<@g4)aB
zy&QLzqhO&_b<|nT);=6(+&sFc0${s*JSZ?i8d!0Bol|h9L6pT~+qP}nwrxBABoj?+
z+qP{@Y+Dl>6C0b|t$o<qs(t;cAHM3Y>biaIx#yR{z~Tey?+@;CN)ttIg5RWm;zy$+
z`WC1%I%au}VTn(+Sr48QQJ@m9vMqfWW7!z;wMVV_g&#FN38IVG>ejD#w>Q7py2n`%
zA;}5R?<j&DS6dH@e<?hcA9En(W15AvoP#TbJo6KX>*gCyP#rW0Vw7D_vnQ&ur9PqN
zxH@(YOq$=z@-FXi2KIQ`3uo<7OpZK=j9wJm3^t=A!;zXef;(zsDveIfH@7zIt1Z4E
z%AM=5w~>Ozp*xb-EN=(Ys&UeI<@uZP{B1%W62H%?Ep&_KGxmy*unHQUS&`qIFl_%8
zDj-Jf^{F$*P_vsm2H)--GVbaj->Y(;LcEX?Ed{TpA8(vz++JH7Vh^Pp4vTl?GKVm{
z?tR%*=Qb!|pgl(hObJf2oRoYDi@A<p!<Q<^>rQmW`0sV-yabGSfra<pCN@HhmGfw}
z??M@x8y#?(K_xTuVR}ii&8M~Q)}esRxUFd@57sp`G*>w(hpQ)>Z37227sq1Ef}Bls
z^fI<lG1r5zr%P5jH+^v*<0dxi3|RndG_kGHISSfOmP*ToZkst57E{W`OAK=5sidC$
zRlX#Nigx41Kq*ZztC+CjtmlIX@VcPiuflvNRE-|^ksCv<&RMlrw$Nf=zrXJ459NkN
z@gvT^H&q*#M(ipz3Rc8a;v5E4O(!r9SzX;QDz3w<uIIO!m<dE#H&OSScvvcwcC`yu
z7AVHwh=fe76G9$5opgfIhiCOEGIUG;Ve=qj%CaMZ4T)2CS!{5jelUXK6=h<K3{2lN
zT*fw5vWn|47a*kixR_YV=krC(Ax6>L)eu-QHk{{Qv{b;AlZUPWx4&0b$T9?vZzFER
z_=o3Hx6%ZH#ngEh@wLyKsHHRO{aTH12S#ZH+;GK}H&sc1xMhD`M2Sn}ueWG84-7YV
zzTKd28|Rg7pYas91F!*}ALL;+cGs0B?|k9Khn@b#j33EJW_2!f=LQnMA41wZu3SX9
zt-m!CTne1|uT&H&M8(QhVDrqLMPScYD@4HEOnH5_uHV0|dJ9F}_~dM@7oU#njo_z-
zQ#2)R3?mJRfgnxf(&gm%yu`|yan%#K%A0k&7bx63S6hDRa9_%fUNzL=NrSBB^SW?!
zt|6lDmEF0hDR$8eK4CUjNvlJM(4QgW%tr4v-;_}#&I@xhuB??v)SWQGj6k&%Pijl~
zMlkqDjn?2%THCX+@Kq5F4kq~wu250d@-Ny*3$DNH>QAi`Lu2bpK}g*u52emdM9{;>
zzy)6qvdCk{)g;-^&CKm&S`ICGjv&E`JMe3P`g@BqQ-rZ0F3?nY=-85=5!PG|O8M+&
zDP_n`q!pGQ?e1oI)d#OC(w|&@<Jp><3k=}P{*B5wB?&1QxQ=O=`nZqH^N>Gdb~;)Z
z{B(m%>Z$c{#sKIyGfTIv0}b6oi>0X;da}t6v^sYLw~=mhx1<U?mfQSUB{u+on6uQ8
z13UYazVoTm-YVBCVaRcg$(<SS6v786e5r^o-=w0gFxBau`?06(x->RBl<J#j+`DGg
zD0{I{ndR#vBRGCn7qw|RUnk3F$97ilDGRFj@{X?N_rbZ?y|oPi@1e+VJYpi^@pb+w
zimcSzPe?RM`n9!O8fHhP?Qq$i?(vE$O&9b%f#HRV;FG4vZs%Y?Q#F6Kx}VW-Au>p{
z;Fx(FXZoxg5Q7I!nbE+l{6sQt6o1=!@xEGXH<6Tvjt^@;Lotwu|NZyzb4MS4N6oGJ
zC^V08+j;Hrb8h)|={)^?X5`2m7BDcw#Vzq{g1qyQ(?h+c>hoX@zxHcqigB&7dYL0g
zscVMSjkoOajbvJ4*lQmYXrh8NFGUfbn;>>zu{Je?nu*F;a#2aim^$bVU>Mi0H&Hm1
zUyR@5o4<oVT~XdUa|GX&GLSxuo1a76W+U`^`sbMtpG#_i2M{X~i7NSRt!t_r&_(8W
z7i7Ru1~6|XRS&Pc=2hAA#ShlYO_F^qV`S&K%Xrj=%E!xK7$(r)b#s<gu=Dkd9=~iu
z<$ZanxOf+==;|P+<jLfNS(~q$K<9d5>u!h@!`cb{TwwQsF1!ro$4#+>obkz>uc9Tr
zP8@00g&RD2>i{cn`KNXNS=P*+yL#1(@HlASy%AVN;a|kCL%>cED$d$!DbTX-jTr%V
z1lKOrz(#{hH~_@c77G27H-nsVm0!5VUN9Ne`cDM6vy-l<W|?0-f^v|T8BMWc5H?<k
z^Q#|JnvR<cxy>68L^&tA`9_|G^fm0BB5j=J{Z)!T$jDp*!GnSsduG+9*1WtOv!K7P
z_PaFqB!0m(T9Jm*G)-<)bI@yed0xAibjM^e=jXrlb6Z1!?J)74oAV72^hKyp1mYZ=
zTNZ#Ddwq^OkKzW~=Z(iCCSrL5Y#16rLY<ho7mC?18dCOHcur515f_d?oEIAw-Ak({
zPpye6M(l2G+YjF3GVapGsk3G{8QJ}+UC0!9hs$k<r_IZN)GrP*UH-P9EtlDfsW;!3
z8(vE+8_=jR&@qU*bz-RTccu)-WGyvlk3O@yzTwfu_>1~^I?*?%bxo+<l#i17YMmO;
z5G?0UWK`gNI#=S6#?Zh%EJf3x@V^tt%xdj~f>cn#)+9l^HC0-dq%l0k3@y87=T^nQ
zACZPpy7BR`K2eQZD0u?!%!^C91<1<u(ydP2P1pG>dMMLFA~s|8VWZrwH_Tn6B6I(G
zBq9APIq8B>!ZeAPL6lZ<mw^Y0B>US+;LnRt03zYmNg^_4pM4{FF2FoDhks9Z!9(xg
z1YPxDi3d&Y&EJDWp3%Ejcg;BxamDzF#YUD;3+2DSL_*WgS43jJ7ty|Bl|C}hy#8{a
zCiB`a?|T8-niCtBbl2SwhS~4W(P^XAL)^F;bR;xP8ZP$=ZUnkCPC*~$+~M?fywM(R
z!j*+9ndJZZZEGJ%l_mh4tOJ+wDDoIq`cU1~Y2lb(fTw{6ycblg0p$M)!x2?sIWM0)
znV1vkz1oQBo(Et^Gj1O<8FMzbdA)!LSm5vEH9(v9!U$2`HDNNKieHpNC$R*VE<;sR
z_@GzE%yokms8HBa-FkPE%P_RuE^Tbqmb1r1=&<%`I#o>gN5HY}mPK~tXm^+?WM_-d
zCB_;W%qllp&mI|YnYc*65T!>ZHt&phYdSnUIBJd*+6*LBHJ<D@tdUjWMNd9gxmHxp
zC{fVi2XshUK=1i^Y2m?jmCqDn)V!6**k<_C7Cl-**0jJR9Kin#b|=_Iotb!e{MUM=
zjEj)CTOlbbun0$^eiTm*_gX#aixqdgfK9Yo&{gZW{chAd@#w@(r~<-7k^}EC?zx1*
zNn=%Q+meQAxr~8+9&fpQbeJ4ct@EgrqB>s5!rimQxCkBUm~qaKPC+`mnYD-+xmlrv
z%#_TAs^!f_Qob+KlGyR{ig*-(u(y;Zzh900_r2_oOkMg16jLmY#VEH|`A3_QNt%jw
zE<CZ{bP(pXukifqOct<)>cEm`t!u)U8Lx@K$d@Utz7#Eqzc9e#ZdiBN7=D`?QLdkj
z@=G1C(MStQ9Q379d$c~Gxzag#ufR?Cp&|f<hBm61G?k@rE5+6FRl_B|K<Kx@kY1Td
zAkEwP%y;~^DH(+Qx%|BJsOQA3bEHyG`#9ov?UUFtUWR%(^ZP<ZPl4Ogk}kFg?=lqs
z`O8;Pti&cr@IFd#vF+t<e(XY!YfQm_O0BbP-;lKGbyb`GffRetxi0Y}+}@TkR0|A4
zn7mF!4o%v0YkERXiBe}uka~$UXuNx0BVnNoO0q4C$6w}<85jmLQuq%aLu4_m5Hzor
zl2#fF-9-fu4aVe?9KLnV68%Oo19>1bPJ<tM#vtz_4;nh>BZjM}4zI}_%uEkkbR<g~
zJ45S_=BljB+wm+WAB>CM(&U+ToY+Y9+QuSd-q6N3MeRm7ZA(tj_--{8@VWvUS8Jsv
z-*A*Y;j+1;vrzHT^P>l23O$`R<PEf*)81`$A1aOLPjV|)4oLPtT}@sGeogvDFQ`x)
zOGiW~I}E#~r&rjREcpV=lgRalhi;%rSU<rbBp6uBr_u_4Q|(ku>quF9wC(yxbv<*c
z!TBGkB$2y{UND=`h)su=kV{P26bC5EMyGG6m>O0U^STP>RJ4kaQUIx@Vl^zai>>(m
z?6o33c;w27Ru6o+nQRorgrW?5kTcWWI4B349M#gy)cU@1lTFynwNtBHXIc~CQNhs5
z>d|EwjCO~f9$O9}9Rb$8lzXq5*MOE;=hnAiR(|~3jt1K+3N%a-A|eC-?IpRaqEH><
z+WA>*r>bW1TwbC8j9j^Ic^QTpWd4?CyE4Adi`G)moDN7KiX*-<c?eNywj{rmQAm|^
zK+#u+>Q?aT-aFD{hw~XmNiHAz-p3Uhd+)E?4zWNQi@;>JaaZ`2W>r4(;-6TBsc95d
z3GC6HGPrKT#-2aqs@I4wRokE6KY_#l9Z<Z>2b5u=1qAeh5Ay#66vO<iH+6IXm^%O%
zY+NsWZC!CW8&5sHVbVP&3%b!VvOis94Xz0?OHu6~Xq00Wx7B1oEHlXpiT?m$DM#0Q
z|Aw9IpE8m<@6XPz8APN>00nU3#QZJ@uvT=<lp3J2A<Sp2LwcjY^bbBHOW5i5euOE=
zAEq-!&32nZqfESQIrB%#C~VbZ43JlbQ56AxeD_^)`P4a`#(mF^!mPLmxpcf*fuV3>
z41gIp-AgpTpdN43fc)Ijsb`zbf0PZl%ej8{CqhLc34JF&P|06~aaDjnZB{300@{Eu
z!;ZCe4dd3SM|=Ea90L{*F(kNjMErM7gt+AxD!vVENehhkh~8ZrV(i>2a=Q0t-hRVy
zS~>>sFnhCy+=vfmwkW0gd5^4voY|-jiSBAK8r9ofIg?V>0CIVu2@rTiM_JDa=-!oM
zS>E&6XvIfh^V&2!%f-xAz(PlX_iN`9#Mh6Lv?Q!mlsvfIeV>1Ha&o!*&Gd2mcKPw<
z!q&?rh#R*hx+Gas#hnih6=3O)Hma1!3{0K*C)rsD%Na>l0z4lbBU}{Z5MjaLLLa(G
z;;i2fOJ6TGG^py}zUg8%XtL>`=^uKfY&>^a@C=d!W;T5|3T40{-dy4!8dn%v%?*xp
zDA=4DsiB1}+mT%WlX!G4j*RzL-+T|4f^#Sf37OI^elWZg_};>zLL;0!kh4}juN1u4
zwheTI&=oUKrfdhAWRC%iM|=bM&2`}C&l(TxyhoMP@V^zW1)Nfgq7vf&Smh)f&?Elt
z?zfM+(u|W3-Q+(aJbIn7j!u@~bc*ndH|Y+QO3_feMj;|cGMS(up!<uKpmd8N2QcX%
zO|&0*)rGC8B!a)<UqGmi%u5a!Ph59d$ytF|b(2xwfETsZOHhLbP$gMqTCU^JGh^mU
zQU4*2mdRJ4>U0XwhNoN<Q-sDuq254B*nvvkr3-2fVv<jo!-`n)VK7o@2aR<iajmXb
z@mHI^0`sw)2F^COGe7#nJjh1MHhzb;076#akR1+kEW`CP_m42=tDZQ9K04Vy+#uw8
zh@SKM6(_X#;B|WWVFL)hNz4u$qE6Lv)rCq$qJ!^`WSJynwa?!mWUvdnt`m_59w!Qp
zBF{V|lZBt8u%(~ma%N#Nw^=&Zos4Y^(GZ&<9TO@4#>vaGR@48k!gl2HS4tyU8o)k=
zo#&zXj8vi>2fE*wg=)bFMtG5Xd}&qn4*hr4^iL*^fCqUuh|Zhm!;y0!FTjWAbh>y}
zsF!T7zYV2y<!4j}{J5>5V$Yx4j$*It1kNcgKg>0;1n-nUSx*E6kY|c@l0=K}p6!3N
zOGs>jelsy*ANom%YxF%Tu{IKT9mNds=KhxtKL}_l>9sfiWD;=E=?nHR$Ps<ncxxcQ
z`N{U2lpI8{(Q-^P2UIoN95s8(pn;X6`MWJP{*c@55Nb{kmYg;IpEFO;Ggn8BbLt{s
zjHPuLNI)MAuamZYr>wNoXws)c@<mh3A*;7+&{8&^7jE|~Q>ptUyDyz9GA$u4t@wm1
zf+}fSdL80-SjN|2=$l@{Zyx&owr~YXz!R{np5|HC+P0)tssh{_66O5~lQ||@^fn68
zyZBu|jn#-#rzIO9wxJm1g?Ph<P_UU#k0BW)UH`fkORS|ghCeLbP~@%e?6i35EY$YN
zB~*Ok+<K}r-v9u7XCji=I10QJIrh^yp>jrYYf?4eGdNOTZE^9{F2C=Pi5BXMDv#e<
z$=4fUw9VzZV=hKUbHX&s!0!$3N^@ukRzc|Cq0EUAdy?c{v0O`pg!r@C1I48H4}R?Q
zz6Hso3XW%GcMM#18_RCf3UcPYoKVTxpu{yjbI4ddhk1hx;M<;byP=G^(>7Kk=JGhh
z8i1(-T?&0^|H(D<9*Bq+)kB|&Jr+k6bTSN=)uVz=Ab|hG>hq8peDZ!!^hiG5G>|}#
zCDyx!`|wGzG{jen<PrP{K!)l~X$jepkEC*8{yB(1wdrH7j6o0xX%Lc1Ji`Gxui#NO
zV^$e5Z)2Yry>w17a{BDjyq7OF3NxbTGdLWuwDfC61Qx2Nv1078yl^6yC@enweptp=
z31ZTn&mAonTr#pdutn|OQ7iS=R%sB~xKl(eH8OCTi0JA{xD&PvztC}_wEMXACcys8
zkQklHMH}9W7hM~K9HVeQh$>%@xLw)5K3)s2A-mOrIO42p*lr;11zrZ-><LM*W^_1i
zay6-J^I6=HS`ncPGS$RWmb5pNt&-5av&5S%{g>(Jt*&f+AVZ`Ay%f~;O^jha{6)eP
zLG68PHv3;+iaStQNe|rhwm%X6t{3MAp1|82qkHR%4~e3_*U7zj^nRUGmS=8~a%U_w
z%n^L+IfpTqYjqY|jtmKdj@;pCt_nDoV;Y$fZpIDUz75Obzj;Vg7N+a7S$erjRa+U^
z?4TcfDz3f-Buy!=lUgkXxlhrXFy%n3Y^s9t7%2QUBlqECT_Aahy@EY!ZRZtdh(7?H
zcMrFhG*2Lz%?ogcknN=7t|TorUgK&678eDzi947i2qG+BaLPLwS@62OHPPhr_+b)Z
z-mKQR8j|)8G4tD`N<M9{k<Yf!`{}<UkKGN?w2Q{qyZHzr$a`ZR@z8KXmV!^_*>41W
zzBmwctF7<)U=Kp#KfURqcXhRUWcVVmD!~}dXZ9#b#>j$b`8+#wckHtBvijCiNB{C8
zzC-D%4~vKezW$}N&tzmxyiAaFLX>7O&UR|_kx;8=Pk8{$>H6jx&%CZ2U?_ToSrUB{
znnslc?eGAB|Ngjisj<h-Ugslidi_fgs06HsFnUl%x<)6qS+rjk2JN-Edlu|?pW240
z%%>l5&8weZW%A5f#S590Md6`a-!TaCdj^W2!9Oq7B8}~dG#_$@MgUkhHo`{*f0q<s
zNBV{?H*<rZu{R?2Ml>nl(!GWuA*g?BNyHwA8PsQ8p9cThzJj;N2Kq&C{1VF~kZrnw
zG~Imzc1qGW_V91NhJRbY9=%p_%pL!sX`w|I+OHL~5q%IE<BnAJuICu=WG(4FZxF|{
zQ)lum*zJAvO{u!nx~jZ2pwk?5a00mvcPcmYNRGKfkW7{6I-?Oj029My*}YwvSCnV!
zs@f0c{{{<$RB(MAz2A!B2P`FJ_U~#FWJi}xC=Ylicb^>Pm2A8o$%>tF94}*;V(JmR
z(;eFw5Y~kE5Cf84J5OJ2e~=siRY3E$n+p}8;hGP1QAjJrYn4blaPoox7U-QlW*1XG
z=b?F%tTeS6n~Q{(<hn~s5-9pv&KCKtXA+Bf8r7A$*PrM|XN=t1lqc-$7gVsL?`K@A
zuQX-G2Odk-<o{3uS~4&BC-qgCsX(=lP-LgTsAEA~vmYM<oJ+B&M@{UsiZ>iBTzQy7
zU=mY^9uVRU5<ElKZ#`D|w@QR*8qd$4dWQAv*kJXtWMEQ+D)H?NEcd5abMIe9AVI+Z
zc}(alIm&Nr73&52yD|+TEv7ROaf(r|B$!_7QBs2LlM!IIGte0+PT#zWvx^72oxd@#
zk6P+i7P<Z4sj0nFQm1D)WdgC}24F+lXkVDRVi0j;p{ZQ1o*u(j8fwm+BiZXatzuy6
zOmNNTv;uaSxzs0tE+y7#VVhECLlx2r_t|4WR<4p`WbnwCYF)m6>W_R$!E_&w2P5t(
zIo^sroD6P&WAYW!>`#}IbajlWZMIGp^JRoY)@;Q;-|Q{HmEwDzZsK&@DiLk9?~Bt3
zwXFFW`7O+M`KOwXvco>T#H8fwP~Be0!Xwet;jPmQvPY!l4jJw|B&@8KLCL!<>)kR7
z1}l}YaB63+9tiBQ#H1K@`b($ZJ86nrS7_D2-JO-LxD}6c%wB{vnyM&_ZI*>rFQ>7Q
z`5E^0A{6c{zH?KfzIm%U(WF_&2|R8&w=+-mI$A_r6}^1IOzV0b)*PokmseIPMEyLL
zdLa9t<shI}MH;@(M?YHP0^%m-1`ufvJ6wO;U%&{ulowz)1`Hi(B5zU4Z80RvzQBp5
z%`*iqiX1=rMiRTmzdF%K3UX4pyU9sXJPN#y9YpR6iMK2)q0Cjw<3S0sy0aTZNtc#c
zKpUGTD^(NO{G|CRwStiO9%vUMiN;ufV(|xdXdAq@uX(?Ct1lFo;f7!P5LWDd7_2>)
zgHk9p8eBsHo4$eN{;9ASib*nu(zB5P9zKd)zOXy0%3M$rK6ut2WHp@c80)69)?ioH
zuM+A}c~il8)b%=F*rTm$+d&0S5~am`BsPtqu=1k0)0lB`f8`6E)KG8j#Io1j1;+O?
zQe-0M-`BIio5Fe)Jip=d`*HIcMQ2NLizu9+-@9z~+$d1RD{KEZIjUC1o_VTkcEXPF
zu6Rcsm|nk{>+!ex;5VfWcZ6d>(SDSbJ!g$ZyQi^Gv*A@*L)Y14x?Ch?{$q*dGX^|8
z*-yoh&&yE_0>AiILqml?OiOX2whvQH17p_x206!UV2MIs?36=48MY&e<t|f5`(>_B
z(YS=9kh}C)qZ6u90aT82bwqYx!o)OkS0KQ=h&|lqNKgcqlf|eY`||tm?KiJhNvoTP
za@(e_H&TPLIjZ_HY8HKR@3Io|(|kpWfK63O@3w@ec<|s?9{gMDkPk$tRW-cUw%6Vq
z-x7uc9S!}7mxILfaXRY&in)J?nBS`k_`UzvT}f^6Cc7P?PTtp16wbTodw!6GTmY<<
zPy0IFgGSgx+=h(LVLV1P3kj(CML1pKN!*x1Gs&#P&{ZpYF8)Qa1Rko|6Ou{Epqs>L
z7u6$qM^Kb$*;9+AjY`Wpj<N<Fv&6g-qzi?pL~#-NJ5tzd6n~YrjB6H!d;$}v^Bb>7
zOJ{=K4rY~72CS5uL4nf;6y^dM#^q!2SPWCB1WV3}O6Q<B8$oi+w|uVbL6%8kNPqGt
zRpL3E=vZ|_-ZI$tLMv>IsteC%gM$E|nstPaE^Pnn9_chVa`$wUs-GpJ$eqRdMj%0*
zmoDfU#&x5&VF6pgYeHzwkqiY0*4NpwcWD(WO{>gJKx!8s5cFkpzKHJkI5=@hZCIH8
zhji(jNYdCB$+?u^l-5I@ypDn_f3>05bO;((hI&hOTV@YkLLr$5>nt+=>QTv|c21nT
z#S{S)L2h*-*WFP3%|Xw0jAyx_;VqWUj=___{_5j+ZA<faL<kJv;4ZGIXQetJ6e90?
zJj!ek#afF9H%+qSPgOSDHu-4jWhIjV60*v8XNurOLY8r7a7vmu>F>mfVSmqYdu0Sv
zO#=13%JkiWV__@AA`HJ5I&Y{Yimez0+LHz>N>&l)PzSgg&Ri{5w+3QRCl*ONoPniP
zQt!O#!%%b~c+S=kZUz`;v|#$n6PjS{ed~r+TI^(Kv*;PLq&BiZxp#=-d8tt?F_L5(
zscrtlSQ^%UnAzK-Pa1kUTjEv%U4v{7M4cNVEjiB+jkYSvL=U>6lW>$qwZMwds~O&2
zqf^jRSVxOcX>DDTnaF+~fDh8tNo*_!?!Q#e<?&u^=0=c0|JLZk-zvlXTT~^>F?{(q
zt`wdt&Xy$qsy=~X{kTxu9!IWM?N<w`dv9DaYUt-wH${dGPm&CIsg5JP$1oZc_*#6^
zDoOkLP2rYx(rLzpXbi7?#2LACLDFoOBpHn6PCHRW7Tq7+z_wk=g03d!ui%uMB3%2P
z7OmZK){C{yo}ir~BC=jpd`{bNB47I&E|EELhGG^U6=JTk!FI~MX=q02R`iL#FQvqM
zACC6Y)?jYv67h(pS~M{m=O#tzh>5vGp)rU$t&p}y9&P=`g@KkYSCRd~X=;)8695hQ
zXz$<#KoixyPJ$YC;UfiCY5<RZ_?emJ#$fjl+nUTkDXt8xjoyzkAgI*S!I>>Xu+<~M
z#P?oX2YcKZa$O^7l+Qv?%xy`djX#%jQg%KVZvFx%(T!VjCiSrBi+|+d5IA6&WUx3L
z@1$fwnWjmFIA<&x(zEN+({S6>P+}9b_vejWA&OOV4xp+{R%F-X!%92q((zf(6X(x{
zn|tS-3RW2D*9U@@3~ecds29K}U4_23=|^hYtaHuDm+b(xwNj`l&zwZ;L02Ut9}_AK
zhj!~$m`kGksuG;OpXYw_&1!HWWq1WsLMzH{+4oq`DC$#6frL>Qbmnibvz3pGZehG2
z&u(3OsZwV_VONuEts)xLtyvcg8}(%3Qss^#?=?^I+Q|0<7#FvyxD=&-np$*xB|bW(
z@>tZZG<FSR6IY7lbH222=Scw?id<m9Jg;n`8v!QpU#vu`@_Te+1&u_*6HB?6$ZjVy
zet4p=;+JW1V+RT$f2<4!MhngT3iX4pb-r*V4=n#2^K6Tqh8vlOooikv-_~xoK|hy>
z`d^!i6AOk%HwcfX+Ah~!l(lNhBY2P^63ot8NI00Pr0`M~?MMM+*I}4rQOvy`Arx0N
zUXpYCk<7^3FY=)$D-b`=@A{0_N;yQlGu+PvX(AdLf=52yI(H;HEe@x%GV{5y-6EeZ
zG@HfI+Ri|9B4uPJ@u6FR`r3Vylh)eGhyFBL6E{d5CW&J5rye$~nGMN`lT%g(h2nzZ
zta~-*DPhE5+g{{VMtN2l{cCL2b<~yLQZo*!b=A&v01Iw}cYM?+(@H(ydiMmms%fi{
zSU3Q5h@;Bcl-I+4T0<L3s%`}q7`hf5Y@r`l5L8qY_za;mI)pZa<o0ab@aX=HKh8<i
zp1CChbybw2OM+lC6snLfPPil5uUy|eZ(Oe7tl}X*CjB#`kNSXAy-2Kl<93QTzh$nR
z*0x*$rI$sqG<{QffbL8=1#`{n+kj8CotnM9)iHs?dDg<_=C+1j5aT2y4j%LSAGutU
zePbQ4T@eXrM?fV0O&So`3nzu?L+&uR6TYQOcCu=ym6NmGUE>=W<bqj8ct4upO}Zz-
zbmM%;5m@uzC70pw3AK`Vvvko&uHA<@HIv0=xC9n2ESqSCw^KGeNIEsBHV{p1gNoOh
zgp)-{nah;Y`vSTG5s($?dp*a|S4s-TjG8WUrCu+UqS53=qax<<5VI(zjB-QBatXuG
zLcUxsOdHUDL<y9x=yjbU>K>EN@)^x65V`_da`_5+3}9v+Mx1%UYJS@os`QwKp_oiE
zVJ87of0Lg(d?Z3j3()E9*{Q;*PcdCU)QLaw`^{<KkPDkTO89nw9O?IC+MQeAtgUOf
zSMV+yw^f$(p_6PK$EuaUJl=*QGh1V4<Ehk2q6^!$?amG9ae$iO%m@1Tmdz@r93)j?
zZ2aZWbIKT`9%%0#EM(wy%eaaPSq(~bs=*E1=ehErUg$MJ?{TF#x#Sh;%CitUGfa_v
z%<;C@IQ`lQMa%KXD4jHs1!Ucbm7!#zqe_;b;M-Z;WDz`qk4SV0_t`?4v9=;_bz2<%
zU?|y5ZloXrK6-ZL8-jLEtMF<Y@`NAdq^w89>pFI+<W8CEa6C}tr1Qo(S4*eS8d+gl
z7Fk-a4P3cE*tgi!w%PGW*we4xX*hbY`Jx@Iq91rpA>~9r{qh(7+7Jl~ywDjmZ7NZl
z;kXa>g2VW>4+U_AJE|mKITN+A<5ZT*{x#>kTo>zy7&=;RKyMS*IcvfFyXzEFq4$Dp
z6p@U$8>OJ4<x(%bhR(sLoNH=~Fm7(g0b5mxrJkVVDLC4U4f#*(OUeJkj(9}|F}nT5
z1KW=wF;B)i4KtZgpB)wl?67zIBF2-NH=))oLwop}92e=5_VrnNb+vd=PwbpU_%qe|
zInZ{mEnz|_0*!p9Cx}ZUHnbvTiSa4rt7iqIoD40y$sB<#!vs?g;==Z6TRDlRWq2<e
zRx^TO8XNXr<KiYf0;IyjwYf9Ce-D``Q%9GWIP!q^XrTm#F-TN3HRtH$3AI;1uc)mA
z`b~;d<+4RVnq@RuWF^MbIg7<cL_{6e=nV)ZNe*mzq|{mYpt{0JXt#=Whk!5H0G?o&
zoeIYDysTgg19HGeglv?Luc}-qifZc5^a?JE14b3tszToID?zpts}2QIEyRyuH)I#g
zonf#sVAK{w8)qR@fF=ZqKVPST?vY2ej$^~!hR1z`rv$p3;de=mN+QA|{9-@tR*{>s
zcyCMb=6Q@rG(*lNV~R}YqJ09$I243<EUr}+CmeW(Z?t~%KZHjQ-JQlAXd6|;PLcgX
zj!gZ(A-N+HjZ$x90*1HOwPaJQHK{`7V&jmH>xV>lavB_VCgy3S#OLoV%4x%6hbuE>
zYckTi3B^&8&dS`?gSL<^6AzvD1!*`!PBKd(Y8)zrrM~wRT;dxXiZMk>EqK(@XPk{%
z-<@6VDm?^q+`c6vGR+TO%EX8qg-vdw63Y|3DNszaQra<8RH#z*F*@8Yt|!Up60*7x
z)RwSGOis-n7t8C&0^PL@vY%MUeIs=8Vi9~)1CUa5PN@alX0om<2E32~=FaCU>*|(D
zRdh-mhR)J8173vozm##kYw-2viu5{Z*v6A7rNoa#P!-`*rpj$x8I~|rTt6@Bc&aN!
znqm+->r5KUr5XYg4R{*dok+drbLJ9V^RGhEhd0uf+*4APo9doWZLGoTYjJr}>*Uju
z;fSKY*aZYd@$5pPZnJ9glrk~>u(VLoK&{*zAK=@T(E6=_yojwOM^l-kf!CY+mCoZ9
zblqQCaxA?0lvJONW8P<p%~gvQ=2z>kKiVAT+_si@^^T>qeD1+KN1iA3e<J!lSL^-f
zag>r(F}rkA8^tic%W87uB&;h<*M9KZm(R0I*d0G(y{*^ZDzod4ZubJ>L&nQ_Ua8-E
z`BiRR`@f3h^qoY^8;Y-f_qI&g9J>@nisT?aUO$X#1DG)LeTK+byCgd6JThVC59_B^
z=;>dO-)Jl8Y%ol|jHD`*i9#H8mT@GIJz&lxXywer8_a7B*qx+D;bU7t&iU<fcv*VW
z6aWF-Rm#qZ7smxQFz11WtCoMgG~k5Pj!Cyk9n9c0>cSL+Hb5CINViW6Ka<xID_Uw#
zsN!mj`^e~c1<Ud6;ISOQsrbh5VyDK`%N}H3={`kA=QOG;y?&H&14VELig^e$Wr<IO
z;DeAoFzR5+=I}SOaOre)gb&?&tg(DEarF3FyJyMB&SeKvAht9Y>R7KH?1X!t1^KnY
zHlw~Iy1^cFxeu;SUr~M%F@(bB?VaA5@qLWiWVXkfu*v(y`4;!%|J$AEcDlJ5ET6>Y
zRi7ssQRL<Os)Sf=H=DGpkxTw6>r$7L95Nm|#dorv{hBg{)Rm`|bZSmAw=ZN(+@8Q$
zFl8tt7Ol$(mHDC{X(f?Sh9%Aos3c^ps~dQGokAFpbvdTN08F<kmPo8@9w_L4b<F6c
zPJJEB>V8!y=n9Cb;K%V<YbPe`4N>lx>TE6v%=1m2gX6+m=8&9ZS6&AY{AIzsZ!Ig_
zD5T5U7Q&Q_^JLE<t_Kd$nURj?V8A9R3ar#z@kBf=Un{d(Rhfg#`9)b0!8N>Y$^&W2
z7bz#rg<f)@cEM_@DRW37NbAv3rG_YC5Sl}l8%|^UBxH4^@FxcfzHICBLPW|}_QF~T
z6CbeTai}S|JjA9r?jg^Y8Q{ZhwBPZ^L=L)E{E~sYV{p8400qWn_{IK;W3H{{hfAGB
zee%{qIUCRr7(sM*%VZLSFhjYX*p>KizM?!tVT`;^0mdBVk}!h=_JN1$^y3Y^r&SR1
zo9CJ0PBkr=;jT(wszR0{q_+k?f_t)QNl%gsIGNe5u5jp@Mdna)g}%1P$BCUFDcg*P
zxhU$zDYG*Ec<~If?>nxeB3_-VjO^a}4ZJmMoo>hgahpyn)6yyEnu(HUYse$r>==Y+
zlxDFM_E~o1ahU@qVc&C;sXtNc_Loi1<*wa<roe9dAYKONO@-tY39!R&x)+<??=2id
z_*#J&-M;+Z-l%6JDX(G*LB`rSYR;cjFu!Pa!J%<`)wJ8PJtwwU6K=E)PeK>b)wrO8
zB*nBMt5s?W?U{lVx0|!`u=(}nTPG*=vv5~#NSf&jFb=n>IF?HseA^0dzz{i-`~gEi
zL~JiuX$0iK!M|A=IZ{>}dyEWamZIBNwdsSVicYqfl5>na>1BGn!NCA@^%AVDzPHm@
z1MCo=?<3x&=R$`(D{y8rYPH~<Z-cQuoo_Q>x-^PlXKnqRhm)1lySumh)6dhF!AGO=
zXQ$d&Mah%A+9{+=!oE$Yi^X4nb*PF5C)VuS)4MYGc$&B!^n)*8CyJ9Uxc9R8BQ5yL
zhhIKC?KodbqAIra8D^^=FPCNg<F{cFPS>v%Rz=^PI5}rec{31#@Ue;z{}d(I({DAh
zi1XlUWBqXK!Emh`%{OL$^YMQBxbt^*^YvBFdY@S{X`4#9C>(mFo#Eu>>BoFsoWH%;
z@!`Ccv{v+6Br-D0*3E>SP)-9~&~u1(^I+4G%t%=DclYsqI|DR=a2y}0#$wPoTYl^}
zvqk-Jn?x5JSp^7^X_}*iF{OlGOkD53)eKP@em>?J68QOb8&7NGK@PaHQ}T(+PI)A8
zR+%tJe&fK`ku+=O{maJ;3u@XsJtPCEzWY@M{^9Jz&SkCBd2Gz|hUf%|y;znR5kJwl
zIZUA!JtKgZ=euKux^*!9kV_CZI%>INXb8suSyoh~tS`Kzt7UrzY!jsIL%S*W-Nlg=
zkmGYSAku`89f@T~nCHva_XY4QJazJ1TXHV9U98t1vE<JW%NyxQCNF%(rr<AYm=bj2
zH&Ywv=}Da5`n31sDHY*lwifXKZGSz!1pIpTsP8g2x)AYcPYeHPTkOTV#{&t`Kdg@I
zC9`TB2Rfy>`e5?SYXUA{ao(RguLF@jy=$CJ+6kOGyM!M*uQxn2o0RZ~Fa`Ibiz%23
zZ3|#Cm(>go5IS=Kb8h=aYgRLC*D$H~Lx&C1QFIT#&EI*1eV2N3Py1-jIcrp133GUD
zo*!vd5Z`?Pqf(K*;@^O8yaL;;VU9?umOQqWJV3~hUgWIU46ScssX#;rohbYqZ$u3!
z=~$%Z5$`vkcX-xN+bYs4RA9i1a|%LUU<QuWQXSjL+aEitMOVk5f)10km8V>T$kZ|r
zQd}X@iWN~mJ5&2{xU42b@jKnQ;}roV$%3$k0>zx0LHQyz!lB&pghgK@Vwqhrm5yY}
zrm?EAH$&OfvL)aR>xV!$G$8}~Mr-4FBIsoyUz1LXzc-5ZqmFG<sQf;B?J^VTd<86R
z^n1uh_zZFYM><Zf@svvS;E0%r%k?X}wZn^>X!#@RbyBp}^g$2#k{rD5W9tPJ7INwX
z=GmrhRCQ6jKG_Ch2|8Kxpdo#5y|wu7qil*0Nw-e!@^P93lTZT`wg&&GV|{D^clm!R
zvdx`)=whvCIleAEM$)uzeG7a(&S|(8uD%P7t^HAT6*^r!k``pf>3**|Ww^Op{zm*C
zBL|GPE@J{Q5YTQF(EnrPK=@xqj{m|;_jr0Aa3pels3Y~fn_UuUpPRB|XkDxqn7Qpo
z)U|A#t;gKA6QiWA$tU1|+|672JwFTYK?viwrcYlwz9Y7YfvAUcDsw&9UZf_o(ci6n
zWw~EaOiS7Jp<{BBa$ooq*SJSvM6pmbw|u)+EuOjaY<EkIJyuI$U>9ujvQRunAL0%D
z?H(g=SfIP0pf=xj*4|Q9IWGgz0~*=69{UwnEUo#~msWCsl7_ggoe&@GUX)%U-s|b1
zk}59UCHl3KFEy4#496vSy{@bv-Ax4zg!YH5tP^AO_dFeLcv!Y8FJ}~<M1VVmHuH!!
z?)Gjv`q3c6+arx6RgW<5rLjUJZgPAU8|CTlE|7kUT3;2$+neocWsqgWW$0m1PL+ld
zie?SR+iN8`gxB)haQ@ZpbzHbv^4i$=XEznLxFPV9IKv-GP5KxmkTql`e6Ge}dWQLG
zsks0zf3!8<hl`?L4{KFIn<;T%K|CtHbHHKC2|!@2RUgip$aFe}3X4F~r-GNO?^5ms
zWL?l4p_uRC@~RsW5+*LiCT!c7RAbi7VGf4wUt69LPjk`<MWQH0tB!LQX?4A#bq4?X
zJbS*UaUTl3Q)G#}8Gm&JUly?`O3gfB5iI^Z(8d?5!vq%iUnxl2$TlVG3gW=`IdZN@
zWv~jP3A!a7u6Nl<;2OGu`ntE;a0hNA^OM7ILA-R6S(8=7Fc0F$EW**l<)KZAvz67h
z{-h=CyJnhW<uHzD;{;h5<R7q6aFg2uHiheW8F^1nA&k*5?;*FZKCrfpBkux<uOTJ?
z-9}`>9@JSNmgHpDHXEmXk>HWev60M!*0GV<L{oFg4X?l3cu~;+kuD4T+=AD=*WH)y
zMtb2<u_#0RqnDM-sG=<oTDFSfQ-;0ytXOWAB5R)7^?@GTUF!+@?!xS5NgZBw%YqCp
z6LY&^QB6rdgI>S9e)+QC#T5PvTMasWX(xpL-7Uc1)r%E7Gpise`iSC8!%zk`4OQ|>
z1ZmX*%@Uj(8Yd~MkPNCQan3VA6$Fk>T5dr%5n%KSf_-=C1~Kdeb5I!I32^uN6zJsQ
z=lLXX(no5gx@XHHik_J?Np)c@BP#Hec97C`$=HQt@RGR$tDkLx1gK)L4v{D3L8)}T
zE#BlNu#93)s7y#HOmGZ<kcBxFM4YTJQIwN4?WdA~kTho|r5ENP6B8MC?p#smwM21K
z^S0I}k(BEHfa<BFpCYr}cam<EwDGSbP9(Qo5}E)O$nD<C=LHU!J&d<LGov#Nv6$<W
z1=-Z%8#;@4#<dRKcmo8h<o5rl#j&Orx~af7yY$tjw0UF&O@H~RCZF2tBxddR21!^G
zpt5C_K~r0be?{=+7ZZtmI$~%)`5(6z2dfqqj2i)`hQb>NWWq`HO3O|lmBE!<BBBj*
zO-e0Da48~z2UCM`*v4~rkdqHE>;8ZyDarN{@lm%iL*tsN+mm$ixrj4MJhSOh60O3m
zYat?B0%dEl#UmVKM0f_)k_G;z{36I9R0jArYohIZ+kE)7MJdcOguO$}E}{-N1!6-;
zsOk(+TLkJUq?yIKQ2xrjo;C}ck(^l1vls%2!p31-phLdI5%kA7(31Wx-4#9Fsnv0b
z)}%j*_OZiQ>x-LF09KdeM=NSMYum^5km4FViZ*C@x*Giu&qmhM$i3%mVvC!Ae(+qc
z?H+nQKcao#Hsu8p*l+m4#xh_SWFo%Q{*#s{NNm?Nl*PzVS+&wmB{1#uN=;RmXe6P5
ze0$CvWQX=*lxZO?eJ7Ei7oUDO9c$W*Wtdv5EnFRB1nPE=bd%l&^LAlAXUG`DU~*3L
zqG%cC--i&E8yke8H?nxV%XmDF)7l*XH-$M{5FX5&h}s;fDy<SZx-KJ=+BGvViJNV1
zis#o!rw|qJF{Rt+BAnU~a@a>|LJ|Dv%tGvo=a-p0Ori)Ou2Bt_sHh1Oa+A2ldC@-;
z^=k5$Ds(crCiP&E8O=4Zjy=5WU1}rvp{+CvU|ZQJpBTIEAGaQ!i4L`r`0B{{m)`1i
zah%x@gg|hbGAw-$#{NR$1fE2Z7tGK9;7o>0Q4>6(m`b1|m?P%6zJ0O@gffQo=Z0v?
zUuum$2}^D)^s&O3c1Aw18;V3x#L*0Kl{?c{=3p$kw_}#Rw<r;VHnkSe=1zqV%zEAD
ziE2-ub|Ns^bmTgT8J-x19>*l+S#i};JZbgs+b-~;`rTwFSbG~jt$4k<yW_eC>oJQz
zVUza_&}Of308|B*s|E*eH5QJEWX2x@6ig%%pRIGzJcLcg=n*1Z!E<^iAPnw@$Vh4G
zA|{|6e+9A1Y_-NsYH^KnL&L$-S0#8B_h~D5ow~&X1ZnT7>rxc$6`YqNoe7d4YNYoZ
z5J0J!?dO6if_vmy?=IIz7Wh&Xne)Iuu`7JVcQEA}RVnh$T+3J{o#%$Dg<s@XFHW0B
zRBPcs&o+#D+Xckx%+#T}Y)aTB8uw$#^s0+~$yks@nu-h>xY7ow7V%9Sm?V}}uknoV
zD9G7TuxZj~ll_~Z@TDGyvgPnZqhfISdq^ikWSy*zI`CV@dP0L{Xi?d28+M6W@9mti
z--O4Q%wm))j}9m2{?3Ohc3iJWXM7QUsm^^0dR%)#L?d-ioIr6W$+_8Rv2EQ||0wei
zY=2q(A`ezYAbJgF@u#Q4G{~JBuWi+T>%n}mA#|?(LYlbE7Uqw_5j>omVtop+Xo5IO
zqUbu|l*;c-bx|Q|Q2#&?V+^UVOtQLVdJD)|8~E}sx%_|!TxTaYCEsNqr*GBfg7V|9
zI%*_j96(p-`+V-yqjAb7S&Gzk>+!PIz9n1ELTfHNv=Y_X$9ljHY!h(z4RSB&@h0bs
zGPr~;{;7&7HyBAO^|e@Bo=E&~6+Y!a&ESz9k7)#^?r()^f%5B>F!=<yyM$#MyQ?NQ
z6@8RiAt*CbzOLh;gjh(DfxjT^ZyU)3f3gKdCGsV7Wor^^S28(j5OWXH^^n^ZZV-iQ
zeqQjVi1c=G8H8BDN(f2U)MX;MOF1mQWVrUI|CPDSn<9Xyzv|;wBQL0?(u8pY1#97}
z(GKXfF&D?vJ1(DH(o|}j((=K`-=N;NkTR$VDE|Hf#XqqFUNxpGp^2NIp*30hYv96a
zR<u#hcvw%+4*47Qu-)$TfjI7aR<1Sb+Ak&}ow0V){1+aKDRXX<xb)B2^305p6F{Qd
zZbQ|x`8XC3G!|O)O1F3fNgW?ZTSreqm^wG6TUu{X)s68-U`9vpv*ZXmax_$mJ<{z~
zH5T<3(yekC+&!RqiLCiy4qs|RX}|}PV%eKUtw(mwnPrwFoyl16>l0ZkNRLAl%{M90
zsh7K1tSaUi{V^G)xlue(lwMgsz6C&T`rHD$zj9FTz?W9b4tJYObfzi`TB6}%KQ1EI
zXmacT^}g<#BM$o{H<n$SZT<OPL3WZHDSP3_*?n8^O*VIw<<sRS_Ui<fg91g<9jZ6`
zgULSJTeX6AA}ui?kg>nnOa-Z$y*eGzN(Zr4grySn*w|GzTF1U*2g+Xu;^(0K3;lLe
zN?l`*Yb3dceqVerrO={i%1gjLh{*A*@$F?z^%*%FR_JgVKW_|lyFuaNpF2yU;u@L*
zm}iGA>QJe<bC`=u*sew1PkHvZ5>U~-U?wM3%P1>k9s8jhTdQ;aGpRaq9fgUr4U1Or
z4Ccqv@A^~Ga1ACGc3I;nCe-uNTzmTWtU(p&X46CI_4?mKK1A@1jYtcZgD0a(UaL;b
zZ6_Z>4Sq2tHqZa+ugKlk6+!M8Wu7EJDs>u`%qZq&AVlNFXbzN@_DuT`2Z0+UZ`!yS
zZs9&FuWNrL7ZWnGG-ZzaC3GB!#Me4NA$zDgF<_XB$PB?iLta}rK^TOby9`A4>Gz0$
zI%LMfo#o5A&IbjQQYWw0Dz$HtnWLd|TWWD@Pf0NZxGtF{9-~S-m^ec_Y%3dvI3bS1
z8<@#K|8SHk)Mx`rBAiCWI>NP;ud!lVl_$oc3qgzjHLSbAM=~52Zv|*byd#yn%kV;=
z@YI7XyGD=uWFWQPNAUfkYPa?U-z`lac-P-4-=jzG*%YvuFFDa}`fLfNwH?ypi412-
zU=Jl{=qacV9)~_|%q(srlMHD;p+fg!?EOPdgyn0bn&>CQI#3$YZAw1U0iKc-*j`{M
zhg1q+R!ysNDgx0}(Y&N<OT~;+DPwGLZvtT!(H?cspHTkbVTg?0{Xo{&IY9m#QWvNn
zFVlG5?M+NJm~cN8dTRM+KCg#a*ZZZjoj{&7a3vjRxDUbd?iQA$)KNC|tIt4726S?=
zqQPWVyg39@HEq>@kP4c<Q8zFWB?XMi#f*%cKP?SEhM63CKewwri9twc6LG={5r6xa
zl;F@}V|qfY9{-hDItvsMVZ6?k1lEywZyIBxoQ?XXGyQ%ix$k=-(WYK#NQPOlWcZEI
zim%v$vIytV;9f1=C_T0u0&=3`U1$!|4C~Q9UnvF0Y*M|{7vUJf+O&O94~JRc;>b5a
zC3!M^2mC<4IG8q2_%HDd7y5^69U^DoZWNwj+<tlaL@4J)74-dXla_$7QXFXswE{hy
z(9eL4Au6nkfi$zak=;1PV4()p5@z-CHv&>V1`IeZPtE<;Y_bLHiJJ*kLhO^F9BG#(
zDJa`aRu<wC;mwS_ci0M%_yurC&cWw1J7&>W6AlV;DOu_mGLulxF>%)^)AnxKN*LLM
z(ldNPu7iP}D@xQ3_RWyKh-n@*F$tyKsu_3;IFD~I??Iaq;O|~+wV7$%WlY$!cm^<W
zm56+s7K?Xh*sJ8JlUZ_qbTs$i49t2bZTUlM*)f;KI7XpMzW@E(-{3aBvG_z25^^7G
z6QxqP&D{=6u<wIh>KKBECL;3dG?-Jf_TEl;pYBtRq^28EuY_BOf#x#-@k4M<U6%S)
z9rjAsumWAoR-|m{bU_SyEU9I$@_kxNZt6DL-*&0m;5>qwcG2e!YI~p(5$FisKDJJ(
zLN2;w*nXN-nvOOA5-&d6DimKav(AMNc4Fm*Z{yDMrFHNTzT@CWYn&NI_W_o>Vv-^^
zN%$}#h;xn|^OZYxQxH7;o#oNh5|npa{p#m(`F&nsDQS^XzIfKXRs%u8iSVjm?1>c^
zh0Cq(n1aYH#Jkm~2|;oNsNeqV`O`b-#7!J%2B%z!Qdo}<PLqn0uG#sR@q?jvp1?5<
zWeKDf{eG%KJVO55tWyu`Ruz7N%DvzDeFW;awQgS|-QTZGCh%K}$NmxWVKwsBo+Dp-
zFGdnbo0}lwV*Mb2<#=ga`)Vc@F2O#-TLTsG@EE9|XBeH~zX;0CfZxS<d}LXL-I@IP
z-AwN4hgLwSEXoTq8HH#UXEFu<=<Fetgw^HsSSlF>!M_J&+9A?RQ824S^#72#SxaY7
z!HwB!Cg2zX!P4fV4flj(=2=O(z%bgV`d>qoWw0|Qesc+<TM(1MU05=#8@d;}wdB~j
zP|nFJ0@3mz|I5y3{(83J2G-Qy{ZDFOnH42LSdt7`k6c2+3_ins4x$RFy*4Fy!7CwF
zVer&0!TvB_t+@Lyh`%{ZDy{R750V{@Ij$Igy-W_)0~7FOD>kGOw6Mj}3%Z<w>em)w
zleNHTW1B+=jD>9!uCbf<e^n?U)q;rBRBCnUHzRR^6p1s8+9{Gaef>GG7-g5eb*u;>
z&Y**osC++ix7A<}iBT89i|=|TO8z>TgcF!@>Ql%6a>Dsm>nd-Hte2;2g7Vl*Rc+SO
zMmR7|ioB#KiMDNB;>a+Jny<J^T;VIQtKO}QljSAei%=RzB~J<tw-zGj_kSp0Nt#1<
zf-S8Mft@|l$cbdhDdwJ;gA_i4l&@^})>aaB;u9Z^0Y`E0SgA-&(#K8@M880f1@o#3
z`0%g>1+-h+t<m~KOKTjW&ip-U!JX%eX5lhLzGW!c0wp_t0*EKYKYMC#L8kJm&FjcF
z0mT1<uXBnKrHQui*tTukwr!rVZQHhO+qP}%jL+D<^FQ2|`*6EcT}gFkcXukOq^kB>
zUn#);Dv1T>gwnP_CUxhZ`SX%Yk5D6`S~~efq{@po8$vl#u<>5VTQ}8bXqs0y(P4ey
zr!<LrNr#X!9<e!9N`0ifJ+wTCnoU8}N)*k^pvEBq^|E>L!X?1Ph`Lew+hvjkrh!hs
zb;T=O@{rSqe}aKL39zpu7uKH*F+d(Iq0|jRCFbHUw@LT!F!PT3t`Wq<(d1@kZf_o%
z(~=W-^MFbf`~;WLOFSEQejEiyuA92Ypes_cbZV;C_{|t4>d4UGZu5L(q@T9I`}w>>
zOUHi1&+v)NkH7-2`Q06k8dj@iX&snzT@Xt;@c-r_xt#rdeLhL^?=#t}Nrr0!KGdWK
z@XoS_DQ6X;DGP8>LRJ-8a^|FkB;l;XGCE@@t-l5&>lq1VT_epvOcq(o!}O8?P!Pg}
zNc~uuDE0Bqig|+`WFTUuoM|XNp6rqlrik#@{(ek%&iXO;Ugkn$cHRb}GEXmJ_y!Bk
zOjQvacU#I+SZH`NwB)9W>d^#0R)ZG!=hYb1s1A)$&`I4P6GsU5>g-kZ>rjaq@k&V!
z!_${9!owk)-<s9++AchYXoH#*UnMi(4KckCMPbzAs&^93(dlGdZQx?Fz7cpo?eMsz
zGsc#Ioa-kcGJ28g8)sbkhggN^{#pJ~gd7HKV?GtpmqI!*VXSld`ox8hXfL4Ge?%r2
zetNTU^JOHgjx4W99JqjqBmaVX6zHU%2wdZT80}MeIHCHT2y8p3uw$8zd-4xcwP%kw
zN@~lZqwuN%0ZH$hdU#1<3V+&1%j`OF4oFL6@Y*{eORWjoD<mIv5Wl-=B~G#+UZBDY
z9V~h)Q6g$MQ<b0)YlZy*_{k+`@Dmh`<i(?mrWKM(S(KVA{h{>5N~^jWHg(t{W>Arx
zUy@+gTxUeKRru&EFu$IPEJgw<esOcm-qf&*Y$R4!sunfC&V3&s$wH@uuJ^A>v2<2=
z65}2WMLFrbvzwjN!mHhnn@cYq|LLDE>uwhojWER1GngnLZd>F~+zmaGo!>Oqp>gE(
zsj~F>iXSlrk-#nKuv2i+XwVep`MKB!7=VkZ>#L<mSCTze@ADR<R<RHHI-Ol!WONXT
z!dyVBIi+cMKToAvJ{+Z>DvY|z%>?1{v{3uF&0f+d?FROT?XRW-ob+pji*#=Rj`RM|
zEt$L2cu>6@QLPG1@g@W4k~%5Wm!gORrT?>#Fq^}<u_Or&bzu&lSW-QLRDM+uGnDMi
zA8a|_EP#)WLRRh8F7qeb(CqNNl{g6!@r}iaaJ;e{w{~>5I7u{O3==WU8-z-qM1MMb
zt9Ucq3`$VGdZ-cI;7iT-g790Bs6-8T3#{@}48k4t*{FQj+_k4>61V!X1k8?>#jltp
z+gQ@XN3FIca}xD<sYKT&mqPFZ)Yz{-HxX=fcImUz`#EsixJm{0y)K`S*cuYHs)759
z_TN+`MSZlr+%JJ6mBaPYi-L<E=~&qV3kXot5{tkUH#q>qdQ9)&d7FumhOvUzmxqXy
zWY%61Nd+nUU&PF`$05LUl=qw~Jno~~TVvv%$x|aYk*n$F=ehUc^G^6r21@GbVwM?7
zVvNa6Xbr3-I}uDquQQJL$5au4*oW?Vwa-IPlaXn<p8<Ke`vPtOcQND>0h47L5%jy{
zIi8hKd6$J3@Gu7O-t7!C5^$GMOwtY71ZlzKyFSa2G9_BKeodZ0$<~r8{B2QkUBn4w
zZiUTXDc&EU{V_ht+0)}TN>>X65(Tr8h_Yt1&B?zlnZ>FX8L=Uhz5i-;AQ-c<%F9F7
zP{bTXY!BG618Q4q?d^G7Ar-_=4#j>9D?p_i8}r}AHAQ_St3`sN#1WCamRT&+2y>Uf
zs&G(sY@G6esZ^h1%P@1@=FJ&P|K>sSQS?+l0FqBM1V0wU@X0W?^rDfz6Zk=j@HYFW
z2B%PVJh8|vT0cS<jE-B+0_6Fh%(Kx?*l5w1Ki7vP1(TQ>yNSL<XhS7@prxj5Za={P
z*sdE=eMWM;phSM6zmZd9w;(VuU9N}cfb6ZPzK_^)Dx%kpOIrieJ1TK%617zWJ5>o>
zvGVL<_ZP$DS8LtJA4@#cnzk4~RQmn7gU0<t-MGw3-93{mejC`mEyY==HF9Hx*ry2%
ztjE?7vKOu`sYHe18I~JdZ{S`%s1v{39HN>=Dp|9jtp+<UTBp4wCUhDO>fSv}i1&~*
z9(ja|!Z*w{q>7C*88J4r)1$iAsD7rd-v*BoBfbnvfrp)bK`QRsr+*ar!MpcTuKl~a
z(L%(_QD<v0Q{@s>m%5f*jH2q4rhZX$^{)mM|0`-;m087?%H)@x>|3h!CBn8s%>y@|
ztVoV+SA_JyBV;WUtPgJb?$$s#p_z%CA`y|qZ|DT+nty?Nb73u(qUIETtaEi@dT1W_
zs%U*F0~Q7mMZ1rm?y?<NEKs$bAuuC}ZWa|kC3b0_@VEFu>$}O%6UTlk2GD*M-eGhy
znK<{5hg_39T(~B~UQ$DEWzb0iLyp<fW*gOJ#?&C65Ju0=)4Sp0?6cS%LfM#YT16hF
zf)pZn%3)GUXOsMu!x#(5f^@cCr!e?bQJXUl)wtcoSegTs+8YXD8x+H)Ay6|^GrbF*
zasnxf;W0JK@2t5LU$D}Py(MiuLC8W{vjun8t8`XZIg#vli*Dn6;bnf6SQ*#lQ==p%
zMlMAUJ{vat;!NFT%K(6{Ocd6!3<e&!q9xR2``^Wm4YglVpUu_t_LV~Dk$eHyE!Xn$
z)fN;A-(Vorvzk{eOW!AyKljQ`4MYQpa{{9sFKK;(VzV&#CRXJIdVGanuCOgXiAjq_
zA!4={xVF^KZKQM+7rh7ISB-KK5<y&mef{HQU5#=I_hHRA@aI{4vE(<n=`?Pq@JYoC
z-sJVR$wskrmtaq;T5wZXYc|?LauQ+S6pc$Z7&sFdV=D4o;+gWAhruAya9~zrdc=8e
z;r5o-I4x;^NFCMmAv~~@y1GF{XSBGSYw#J28D?gpHJx0D@LAho*nKsXeP#H0OrE&&
zETOII3LS#R0^I8NMrVB}xfLFR+ARuwSw^P0xt60EL>Ud7)Wyy?DbE)KGYNdUb<>uE
zPxGRXT!c!(U!n7+Ky8=63lik4L~k=O@&K~J_kT?b+>lg18{g?cRj+}q#ul(xbe_Qr
zd*Wtg<s^<)5#u2ySo;zpd6A%&K)1u4P&#N?Q8VQ8_|f2r7#$|ziitbHL4==2wo<X(
zjn~w3vw*t#el>iQ*&{KxJ7-hqE<jjV&M3qqn@JoTsCpX$ndjiPdzHj>x|7TZwOWd?
zXdRh;(xGUK);aRk4@Ow#F8#6Tz`yA@W+SIB#yl$IKy$~nZ_o(qPcBzXLac}(ekokP
zF9XNnJax@s%1N`BjYgeval!QIm`59YTGt~=ZXe)BZI0+ZJ))IkZpZ}oagj21ZX|j5
zcTfq6rBAx|q&t9tF!^LH6f(!4S$0Yhyk&!3Bj(0ol1o0dET=%dg%k2%2B%CutMH7N
zfvQp-&T+U;-na5+pZhzqR~<JUF1fY~zQQx#>6bA}=+bqT&fp;?Qf+Z*S&<sLUHVAS
zs?rV&U1y<z-R?$B&PS^!J<~Avq&0-}zTAq>Q8t0U6-eiYyl?{U*`><|iG0kMSkyiK
zgcNWXxG!j_G79HypDnc9vHft(1f>-@2G#T*I{EU59k*^R9D&8eTJEK5M{=?>%7L8D
zbVu`!bB1ZVhuDZ$!Y4tFy~J72{ADF8t@piVKl~^KoL?t92d0itm>)A%Y~f|-Qqb9Z
zI}VIrFE2NvTDKSGI4NKW!eGW{5z|t7ZF-T@95_zowxDSdUA^Ux!r!)H<NNIC<Z8q?
zr<ZmpV+E$$3W;?GTCh;7Qno;i3EwtzwEeUUC;J(A)tE}N>MAsK-j;PS_uSmd9iaLz
z%{1Psla>X8;k^|_5%N+yZ<xCmXNWsSh4S@(0EI=kK@GL>Vct#aHp%pj)s4zT-W27Y
z1mn<O4E1k;a&9c3dcf+0+^J)*IYE^hLG<L{+pb1ctyW{02Ugu5tIm2&cB=@kRH}zN
zuJ!P4oF=hNu<u$$TkzupCw*?R=As0PY?W#AlBy4N;5#kp=1+gzWq3<j1dIKWcCbV?
z9ntcZQ4r{GcpF+Vvh?gZyV-NG<SdZ%LO7WTt-1ZrngCQc{_O0mWu%?c#^URc{SDqh
zJuaKPN};dS`r!Mxkf1wI=g$Q^jE%OKWCK^kt#k1fzcz4M3~x1ivB?sg)Wt9}s5uP(
z6}?fLx&2L}Kcjvd^j4{m+E*lRxyi2DO^3iHpwtnJJ!{r5j%eqwlTlFn<DpKZ)<#Oi
z+Z@|Lf2U|ujzPZ&Gf7cT4@VA}7uU_rxm<PKj?yK|Ih)0@wDN$N3f=?KZ;S4ejygd^
zj6Y9Hr<_iHsGV(kzsoX0vrsO4eJTo>)@m=3ea;;S87RaaQt_A|j4WH{Xn(MC{S#*1
zKw;!a^i0&<#ld%L7yZw>I0rLV|G38W5-m;Qvsm|rYLC&x`c6h#!29d1lC?9MZZD=*
zt4~07KQ{VBBJ-b<tY*5larf%l!v2_j9PcY+eWqTKThM^LN|03?-Cua5wMSoUT-?4c
zjMc~90gG0O-*wx^>-(^S^Wz1A&g#bzXf{&Lq_#`?OH8bW9c~_5aG{wqT#6PRdx91F
z!2p%1xP^t6GE}_MB%W<1igV}0wegIX@+77kReGb{Cb_}xGTz)V-HMs*sq#2`|4{Ad
zdh+D(5=$d!L1`qrk}ru%z%UjHq(iKD-)ft1?ks1qNKoV@e9fB`SifFNSbDnJJ@}8I
zqM=K3fGN&2aq^)iw=~OmX{^W8KrePIJsQB1UOhNVmhM*zN`^i``M4kOKxQ^wvsZpt
zdNFTza`B?1GsjzD0NIua$4=FcqNTjTqoN^F1ed5^qS8-0POeaxTiJsA!h*vxKOR{B
zYO^-nCrc;KyG1*YWBCFUFUQy2<G-)-r`yBBe?-L)*IvY(h!N-}lX$C$yZiqh9be<7
zE{m2H?Ehq(Es{;0^Yw9b@nC1;(g$IhH{qNe--RPPa-ozi_i=nUxMKn6EZGw8OP|%+
zbRY)444sXw^ov#<`-2ZfO%=5fxx@H|%k|-hMw6~va_%=p72U+8ZaSBQDE3cTXpx!6
zPCYp*a1}%y?1cqQ?E_HJuHNPcojEh`@WBl}U{{;$*%eKlweL0_TMdN>J4!bK#Zr_d
z-#t3zP&o4O@bYkd_3}lYflWp5abm^9%Juc}#nBZe9UL?K6$G*oL0DxVgv+vXDOiWA
z9x$)QPWR8A1qcR&lb%tpkyGafavV-pU(dJ~E&Bc0HnX)Gx>y5=O7ConSU2ORcID(G
zx`~(Fm`+K=rE4#yYpNRxzW7VQ1ZGEidbP(<((AKS+E_;@UVk1R<+fL{2e6M=TQ5Pm
z{J^X4zqtj!yCeyzBo@R{5S^9<{Hw8Zl+zJa-Kvl+W_tZToA!5y0o~eL2tadRtqt*|
zh*L;@^dI*g(lO4$FqIHmrcO$eeo35v{!b>wik;g_t>XqiMTqKr@XLAVJCL=LZSHq)
z6AL0K&AM<c=N$8x)wbB$5nE?0Df{1O9hNJI*#6AG*JBtB^4*Tu1;EV?ydnK)xZ#sW
zIU?IRWpVi5dD!Ri0AMHWB1n(OPXXV*BCG8IN6*t{{IwQ*H;N(Bq8nwlr}tqOA43Ox
z2>iT>nL4emKj(4k9bUYIC}Yh?T$y&yu{Z=URtb)LRn(xaHcLxJE#H}_NjX($5;SJl
zqq9|N*l$_!#RO7K0sro((1p(SMIcn{4tgwSWD4Y9q#?IZVn&EeMR9SYog-9B;b2E*
z3=88-T<eQu7E_cC5Q??bQd6j=A9o-8glL~>QxY?Q&<ip!)z3)q)qi{_7J^}n%+@ZC
zu5W~tMz|jWnMkEYt8m=KacCfFxAONd(znUfc0j@rdZb4}>HLZhdfd{H&aJo#dllXS
z5TEE7V)a?|aS^;5VYIa^!OVWD)&bU~VfW|XgzxNhkUlAIuN~gvuN()Pz^>OMa@oD7
z?rhw;i;8aK^H}9nq2F?%=RT<1)>dqkeF|wk!~c$zgiL6>8lkTES+wnsyIB34qRCTe
zU8T;FzD{MFNos%8=+&`D7nbve7YcspqV!nhi7ZHZVTcYrYog=~l<hKLc`u>E#}%GQ
zbO(g;i!H<z;&=at)%c)z*K?bN`&x_gMWH2;aKFt{e9Svc8i3V*!-qS1DDa15fI+<l
zFL%cmy<r`-16RZLH?pS=f9MSu@6(T@y9L*~<^L2V;<EBJr@{XKY6*0|AO>ZCTa5F`
zL!H+;YRWyQ1D2hD=Zo@xGJORA%pD*%2RiE}^NdC$|0@CDJhB&6_=4}ZFF~w-k2lwI
zH>`-_RfG^Do1};m6J5Tmg+Laj$dZug%Mo1|COi|mg<tJ@P7tXyvDfuL(aFtzB_`1P
zM6Q%a1CVbwk1LKCirx*0?VclQ^;)zsrr&)5jc_Y|>7mcC(2(7|_gzQvPS0#Ed;ZnP
zj)VR43J-|%O%ZQRO&~~-N@WLFJQVZhBzV8Z%OK-_iQ&Fs2V|t|4T!5uz;6fodvB}8
zKR6WX?_#V~kTXrsHk8CsLGXwTpfRx2G5|exzGD{wuNSGJh;_+crcgijW*m_vDe0~4
z{4fB!z{`AGVOTHb-XGL;mtYV;)d267#6=eYHUwELfDQkstyq7y`EVNuJ7DK6hB`2i
zt^o*NZs*)CM-rDk9nS>;x_$Rec5T3n=OPN$(EBSjf4O%>7Dj=-4XAlAF#X4(at3F)
zyc1Gi=vdzi@da|=$F3THolwZt%nV@f-SCVrcuZH|1IsQIPw#~qFT+$Q4D9qzYd3@$
zOmkpo+qA4p4W*bg2Qt}*-ueitPIc<N>EG~4iYak$;Wz>cNBCn_j4K}FYKJ;;Sg1#K
zL(9?MW|5FvPbB~~0T)WZoD*!N=eMRNcxx!i`3LjEF|_{H0s~k8Z(9+zxJBMOafNH6
zMLV`5YkmL37o>rcdC||zW9B#gi?Jj)vFt%%6@JkoSCM1N5M#xqN`zP$a5mhmSTzaG
z8V2e7*L-dSmkf4YyBkAi0A@c*6%9w8t;&F#bX9<VUCFPCSfS=%Ng!Y)>Hy=nTp?iR
zJ7S+WW6iiDoPi1ax|S;_jrPEl*)Rs|qOaSM;>wofv|P5b<?PlNvVb~tdvI$KyzRI}
z0rO*$ov{HoB@oR2RNm4PmM&mXGWKKIvYJ^2v-kCof*~`W8gw*Xqk9`w`T{IUu07QF
zJ0nfmwE;O|m&}WS_r~^GqZ<KN>ybmh@}qu!RqdO{3<?n2HU{97CtS$S^W=fwe?3dv
zY~_3bkAp=r&)c`JAnf|Px8`iKkUoG3*cvgN27LOpN-g`lW2NJLR;|yug0g5C^)~4K
zuxl0NUszXp{6aP2Y-Y!Eb>T5<6ji$~#TRlCzCSx24i~VH^RKAHffwx}rNn`@Aj@M&
z6k%a}x(H%YGlC2iS=!GskfnDEXkMZ6`WN7r6Id=$_5^ZhfN{B+nXH`xVKzVC7$U#D
z&Hvm!x7h`teBX7S;`V8MlRL_rXB?@Sn(k+ZdJ)e-WjdJG5t;`J>((CNYN;{JpDt_z
zN*u972iBbk<k(Wg);T27gH8y<a(10&dw*&GTJd@4;(S-dWVh59bmKJyT_gz0K0hj)
z$)mu26OOaJ#U6--lfV`*-MWzKQ5y~!5(us=FjE=|XLEW%=pVqd-05M!Wd&74`aZ9!
z7Du@>Hy!Y|WCI>}oeB#6Ww30yqvLMIFc}8RQO$bmUlfp-0K49h8B^(G0tlU*S#@<?
z{)=5;o_Y#^R1h=WvQL@Mh`|F~@yO_?UYyGRTAV2l=Dsg4pAEmN@?4$XfrVlBHK~8L
zVCP%;GJY$5z4k13nkg?9KFZcy2JFzQD_+<7P^QLRA`|V4cP=~}>pN@n1;RJs0zvF{
zW;{z`_2Xu4QF8#}9Iz@Tm`%CmrleEQ4(eA8`@jdY1hG4rdYj)`vMLcJfqUsQXyx4C
zh2lJ;jo-<-^wtCO)pa}1JH_x7jlb+6E&nQrOba`(Td3}~PuVWP=)8PhWzCe#Hh`}#
zA7gYDK_c8J8!|HI^CaSt@!=bTpi}xd5<C^Xp77wDf5tL>clJnfTQ)@TzEr>(+y_&5
zM&H6t>;3Wqi*fL13_PVPfr09f?q1i0tA>sJQnv6Y@@xjbE194V*?SkqPNWfH7|%TR
zDW<1he=cy^sGk!4(JQ#q6uD>hr~G1hOxUZLH=$Ik@jN1<IyZOCVwv5Sb;pOdHqHR{
zRMN^gRG<P9^<*hy^4(J?<d=7mop-&6oMz$f1jtL>QhYvKXm^!OVeFKvelL_cbfKQY
z(w!;zRm2wt;GZwAN5YUU6uY+X-wW4zZI3Hxb2le;$mT@-isf0VLV&NO48)AgqEpT+
zxclb&$7L15b9H!Lp-j4@Hq*O#Wf;VcnEhew&ey};v=t=}vYGb)MfUZf{%n7(jVF~|
z-I3!?5ic*Ia6lv8=npp0^n8BPVB(hVf&<l#FYkJMJ<njFxdPm$uPKdbt6B7Fd3MA@
zq4c<QCBiklsM)z4Y=UX+RR<}2@o55YUmeDS2gPTb+1@-^vK-|-AHEiFGD{{QPyy2#
z!}?lLIBXv0iKSG6X3#&u^IoZLK{O?K_NZhnee7%AncL67xXxmLywnFT*aQwo50_;p
z+}tx9!;*=7VJ1y^jTd3Re}q~w%!<a1LpDfe``p7ja9_sbW>JV$gj-n}FtU<LmXQ(b
z;-!Wpdl`lV-BIqn|H?7rE3>&Tw<JFnAqJK~B8NWL>js@IZX!}_tbq1`YflE+2vJO_
z@-uy4Ivpbz{u&EEtBmlq9Hl*+IQ>8(PA=h(Ae&X1euEgTcsiQ}JuzQf-tgdD%OK#V
z5AzL!6txnPaX?jvULPk&qw?p6?}a{ulmtHx>zENg!YyvScc=J$Rj6lO!(KM>A0_Wy
zdYubRXstZRr;&V^-d^iSJX_hCDs!g*iea9<7s;sGQD0){ty<x<5s%jT$QNNUc|+9z
zVX(Oa=&r&9Rbfd-Tte2FQ?X?w{hh!41)+fz<+HMQ*V+#|ZvcE%L3z^01)%2!2PBOU
zL`LQd^EW^C(`AMNwM3fi2v4!d^lHf}^fh?Yfv+H^AoPf|$6nh$jww4EMdY8ER$^wN
zUXIUv_~K}V$aPrNO%ACCSylx&d>KH5x`m>Q?6EJxZe0OJR;`DvRs;G=P+HY+>!^h$
zy(nYZS!Pprv%^Wpkor~aZ(RHh&bNaT9mN(6!XEG@XkfBm`EKIHhA#J&7xC$-T?*=w
z6MiBbGO;mcAWh<o^ra<8XJVN*jt^BCM5++uz}Heqe~UKk(IRE1n1+Z!ws%sRh*S6*
zOy^1l4nIu-`0b8NfPOvS2$M!As4>5h+c*Ghw|Bulq<X%t084D1W@<jbT9z9gwp+NC
zkVSbO3M{=d?WmD5B$XA)1*}4FO<mDvRg`_N?(@@<Q9FR2G?O_ynmDb_e&Uc{x68G9
z(TT}U-H!k2v|_o|_gHjBKML;yhh3^X<x@29+FL+QB-*lwE%P-)^{?NBBzCyBLDS-|
zl@|Z+I5IE`iNmu8!^^{)Zo*BS@S|JjN`Px;6`QHIZY8a%+*zZU*5U=q8=8~nxvb*k
zv07K-Ze^0p=^wFoKM65YoeLqCZxy*c94tJ*cy!l{_A-n!GW_}r*>I(uI=#Oa^)N!Z
zH#E7@?QN6M4<nt($_I(AUflxECox<dmmM^gS*IvALG703d<^qCoIRD9^T+Kf?#9Fb
z3f73$b4LIh9jk4as65nz_0Yq!OEs5CSDTz~fnFO0riabvrT%$%wH*E7*17zCrbs`s
z^EvAqYPq%>6lUL@81g^^UF$3hTb-ZTR`Mi2vp8F*Tt^nwuzBFM^6FxWs_r9tdGJ@a
z>7~B3BeTc!XGNZ~g_uo5Wq2)8@AotuYc(jwx)lHEG=Pp$MZ1aUBw}e%Ep5Fs+gMM=
zwElu**xdo;$ES1XqQ+@_|K3YAV;U`DAnBui&mO)QOe8Q5PuzF&v5KscXvk>}vb)YB
zZrO9Mb|{5C+QS`2@B%{4%hedHTXU36)<b-&6>4Yhn!&opz{22RUZP-@2e1m2SAAi|
z*K*3Ez{-B^M@@GJRFK7B0AmcV)P|1nV$)-P1mXh}wcKvAqdk5Cn!OyN@VvSTo87Yv
z^Z8dcKEE?`2HKS*WjGCHYD?v=13hZ+-R4sx#IJ$iH3V1`)P@(2_o`=ZVi;{GsP}e^
zBuu}b0@(-T%zwM(#Vl?`|3@B#t*!@D;W569l_iw+kwKKhoWAZ!;p#Nyxt03~*iL@g
zyc-W~eE+WlpSLgk1LWqV;M1@kX<ZAWkhu+P1-WCD*}b`mmpi+&687Chdy3%Szw(Ig
z0(jBK!`<vS+sR7AIUPENF$)=@4ZSA5Wc^c@ps*dQLAe@vFP`Jve`Vn>1>sBSvW_4U
zpHF>JzBaB+c>%U+3Eq|YBfpJb>hW&z?5KG8U<=Qd`d7go1i1L>#_&HBAH}i5p8Q{4
zHO>uAO9`_&c2;j`xgoLS+@OcjRy3D}JOOBGAAj+{=7zr^9!09%UE@{);Tzpu+GbQe
zoSZfib!!QI+}W2g`8aYDa)nnoa%HS_Ns0Q-VZrU*UmPWWh2m#D7-9>9n=w?(V3@}+
zd@BMYg$gCwnJC`Ru@sGMYK_*Nn31Aa^U}fl$o|Z8Fos{%W-HA=IR)~ne7p^wrbxNF
z_V%5YnCJS>@Sj$^-#>u=E9uxic_2<>1OV{I2mF5|9k9QW4jTho3sV!P|I9h<Y?BiN
z<FXhKLT)~xrpC-+VY`Y0j8>%Kdma~sL*g68s*&p}#z+!~zP(Hc;#<pjHGP?HX1t$y
ziGp3X%|XwqpgERT=L3uB3;wu+HxoRPFN5^@lq9vYF33CJ-JDCK7(-HIUw<iSEpKj6
z2UgXC7o?z}2EJ^vNI)Z*A`4+7n04tv7HEa~e=yd8rqu<S5Y4S)^Fxd>=Qa#w{e82l
zgll={k)xKaElArIW^HF{-|M+)kVvFnhG~vAkVv)#L@vRl@bb#Gw)kWJ@COJzD~N%w
zfYn(FpIB%#Lmb*F*LAOKjKM|;ze&Rm6dG!)Y^<FfcIV$97W}CCgK|i|zViH}?`HFP
zFUBGAq9~2}VXW63+z*DUXyU)bolV>tkmEi6!I67a=tz)}uvK+~2YAL6oos9~aN@Rl
z^4>Dfd<u3W_}V3mU2h|empsaI)C>GuFM!7%YJDy0*-e(X$OAq7eQtt#u{rA01&lAq
z|Lv^KN9zyA->y3X`v3Gdh`*hsEU&60EUGUes3NK_svs{c!NkJM(8R#P$i@f^^1tCS
zdmQNyejonNc~wCg7z70X;`jW&2i|Xk#ji1|6TO>>A+3ppF|ECw5$%61w2Vv~boRDp
z0A94gixCQP;;>Ly|HXopln_z+t^NNi5MaO8AwGkt-wM)RLemKV02=AP0=T&2`w0L*
z03iAMmF{}Sy5QNUD=T@=o*TPv2In>vKvE#Esq3tShGPV1)g)A_XKBM2Uo5WG4fztw
z@<CXL+J?ZW#Zuz$&w6{;y<E(DKhs;9X(nktPN%fhT;I7}|FXPpI!?2_t~<(fb3e}c
zo})g<O<*21l*h<8kw7#hAu6-m7^_L%O-67PRkEflkjfmh`yUV`_l4mS?BwdhW7PD_
zQAB6easFbftFNxn(7~!XBKl3qBdUJN8z{xej=QXZ3B48e%VX>}#@<N`67&_CR#2r4
zKIjzcqHGh5ZO{r?FM&GQGmV7^L9OAaC4;e4wLp5C1Rp(LTfo`EO>Dp8lr^7Lu8_v?
zyMB&@Ch&1gouAiMM?EBsO5^a)l0lhif!Z?7JrssxM&xtxQgH|j$j>LCbrytqBHR|#
z5)d}GLcJ#~Ao^Asq->$YufT)qeLY_(?S;BUVMD>f&Wr1PFE9uMu2^bwaI%}JH~DF`
z>T*pDJ{;8_HsKcT$8SM6aX3gtlLatpnUK;@TT+hhYAs{wWnMLVf8Y1MFaD^#`l4uy
z<(c_AIUzUBPTu7LW9419L@tqpI|F5^vD8>=9f;o(YJ_7trw>MMZsI8Rj?TrYuYT-#
zIJjNy5<}|C8@)(^aq#V2akA4J1S+G<4*B|`A!LIy&H+}0ih9UHgrB|)CpX&&a5)&*
z)9lw+CmhEWNOX4$q3b*?*KTgQ$D+sezT*IQGqU~!+iUa=(Ls{0gX-m@%6-rgw#@-<
z!Gbz#L|{sAA$-yznwSWv;dOh<PITQ7=yboIF>~m0klH2Y->bKi9w1TAaTD7>>Er>%
zBOY-vYcM3l7lvX9-}h;u9KT_&ruf9r4Mp#a)@&e--S`+Wjh%APJm{hwuwc)Ti(;@m
zw;L3pb1$}mpE2Ob!TU-C{j5%Y3j1kjH+Q3lT{T=1j{>kqOUz&#G|x)6Y1a;6at92P
z%<l4IG42tY!Z+~tlNH#&3W~xu{~9kvekFumZ|d~Mwa7DH!Epo2Og&1Snt0L4wnX^(
zC$eWgyKCXbziwuHoZg;o1^Nd1i>#w7beN^0t?)moStwr~3<EMA8F-nRl9J@^(H{)R
zggMu#?lYT@v=JYf33&^(@~Ot$-35d&O;FyFpLSFSfqCIl_f=Tj;nEf2ur>2D@p(y=
z>b`eLqr}?iKk)-6;6oEWi4p|j5~*#S+^>$)uGMXRIMCS4^e$Z@5e!+i@u|c+=(Y~s
zqlkP%tS@bid>I_^HECQNKX)QZhFI5AIELmZ&t@+0FPOAM?%7m4fO|T<>Xi)mh{Ip7
z3qbH2puah}%fzDe<W2F-NwF-3jGKv;foh=iZO<dL9}HZnW@&z0R_N9-_CE<LeaOo?
z^&KO1NZM!PxRT2AyIPoP+2dlGoDqh_wt~9c!&%7Tf9kq@ipb6=p2jJPE6GdToO}65
z*8`Q7);Bh3ozT60WfsEnwivzjs$=ZeDsBuxBhk>ei+pPk`P%W}vRY=!hzkwg;9JK~
zln}VXLTCf~`SJ3Ew3r_abrstTAq4HItN;-+Pa}8(h37`QP7ruA?aI1Hc(>{z=nOMJ
zX$1IQO#a&EkXz7Tw=beAwxT+<a<<iOKiPCUV7h_1dwV}qp1YnaYCMXWQ}?Bz@*<@)
zTMC+&qg&R@kX_L{gRb2}wXtoGUF+&@DLuL5^clFwS^?8uU?7gaG--D;gOicT%DEP+
zejI<sSIdppOC#41@goIGx=014kObSdM{*NMN+H(2;_K{W>mN%81&rf1t)lf|9pM;y
z($?D3W90cD#=6h-I~>6RuiWk4xM&NC-)JjqeB%YbHnNp_|Jp`-ymgt#nlR2}-<2#i
z@m7qLc$6M<7V8hPv#yZdAtT5ZBUZI}qp{c-I!`m};H#a?Y3hE05Wj-6MqvZ<uo9jU
zVYuarJ<0-Eygv@tJhZOl-yGdGrUc&NH<xesT>u@__-!aje!mWVZ}U*_(((&pU7!SK
z=yf@_4m$vw&)%uIKItZ(#Azh|G1BP0YFr^51}SA<Z=XMFxZ5B<On+&W{o9kEr}6e4
zndVW8SGywKu&D3jE5GwSBzGqa<38kYv_vj?LEq|hAv@3N=rt52ndom1C`+=4qhdCv
zrTi%0#KABF;1)fL!?kLodzcsuG(0~d`_HNq*i_~amF?lMGrqBX<v{D#GYyw}TCS6Q
zYmb+zNZ+r_Bz22uTC92T53l(MOW~G3S+_Y{Nw`vX8K?7kP8M}912ev|{g;7;7F}}j
z8e%getKRU9I~?3YA-<unVhR22@aK(GTSms&fvwlpc=Kn0?G`JZWcMWHeMB(=GV`!7
zJrRy(J%00~rKYe(hRajt;he_l*!1tXAv2Ycc;-Dte6K8Vz}$6kiB%UIF<^%WIWY<T
z@i}Sawxe>-`ND0=pm~SX=IV!?!|IT~#RUKSy?1z29B$Moo$eD3dFBjYv`~9<@x_d{
zuGkY&B2Oj}JNKwni<$n4_3!<3^s>Cnfi?e*T1rxs!145EEv+XO^8B4-YWrO!t1Nbs
z6I$vXxSleafLwzIF9$M{X!5?UGU$}2sVgzIGZas^fo=Kh6X(X{_F!&4hDS!H_{M?+
z?XC+~FCw49_O#|u1|e^@lOOYNNu^F(y-h~-t%k9bY*+*yiKO|-lk}jy!s0p0&~o{l
zbg0?uy1d(A!u7xhgzqGs_xkKa3&)1YSJS6$@}l=>^mxm)Nv4>-&EwCufK{)s$2OUx
z`T-67uqfg@I)d*al^8@$of4v-*Vkmv4`U#-@U8#_Yi$y<Ze9N*d#K^_^gom2X2FG~
zN`lu+mG4z)b+p}k2LqQJ#C<=Qo9_w&exq>dFYs{wEI3K36KnSsT*Ja;^aG?jRJO7e
zCfE9@``O5glXNE}LsS2(&{7TGthC!SkSg~G8D$2>gmROpQ=mvCMV$D$?vt%SQGPH(
ztdKkTq6a5&_jYw2BsW)a_Vxu|PtQCwq8tX1_QV~cJmQKA@h$IybRapSRX{MWt3J8r
z$TkXsUem-Y$V%JZwK#@&0@xJ5w@U0aw7#Kr)jV5Q$sd|A`?mLP?L#>+rOM}F!M7XN
zS*nc4JK9ft^xTv@Z<Ffr2uYxAezvJBleF9>NTFD?_6Z3eo8zG4_(|0p<@T)8TFUP}
z4ZttP9ydEdzp-SMbH=jaJp4FfM;fO!Ng@6_OeV6Kr`^-zUOahFMoE8^DtFpyE%AiY
zsDx*m2D|x3laj(={0v?%lY>DGvQ_CD2u!uK$LB}IRrXkHL)j+HKcjZ=m<+6cvjaM=
z3H81mx`uU2JfJiYM<GCCB7%R{;HnQlH9F4_yZca#VR6q}yh$O2u&R2*+pZlHUZ2^*
z%=Wr_U#~R$qsF+)j6E7l%R2ADJ*_=h5pDA;$G?ahvrSP&<U^M(2-0jz_(7&BH-Ucm
z4e6H)owJ(3`Cb?4FN8nzw{%resBsit8$-R8)%OW`I@ouH8~TGh-k^aKlI--<r64JG
z_;?use(o1M<jJ*1swnB>bT8L{D3irh+dXF4Kk%YVfJ}GaF3+O9vl--Y_glZAh}<z|
zcQ-gXNR&3)ulbgg$F@XFyOgAV$V&Y)S};AOGDHzv)kBE#R>6s;aw%|{n>x=g>3Hqi
z;x5t{SE*_4wc7PT8<b*=)4Oa5EW;^oc)O}hPu5s#3a)QGB*5I=y`LqFue{+B67j4^
zL{9@CFqrO_!H!?(zFJ?`UU!?Jo4O`GeRNhC&*7#-AsTuCVB$j`9b%AZayfbH;?nh~
zF$#zn#E(;##fhS7^>pt=$2_KS<8Al}m)?<3dZArH=3s!wif9ql)RI#T{a%}~*^}$e
zYUMXSI(_Vm+ffX3&zs*hS@?C&hb%W$QB`a&Q4iszQSe_n<788UJvgA{!)g;{ZY@Iy
zHyb0ksU#YR)XlK&B^H78?g@GwTF0Z9^?1qbOf0P22eL?E^KvsYDq>~#@j#RG1%}zX
z?pf(6_!a;Vp4WjA4Z~;b2Nc=ScU-0bcBK5tN6q49T_y4&0^=teUoLyC0F)v+d6?<7
zb+>5|8jwmJyx`@hxw)1m_2D61@POW{orMT5jqP}sS#h(%IVc2+h>l)>!zjQI+t`D8
zjRus(HC(1BP`d^8>ISy?1_&XCGH@jn^E~U>Ffu%jGZ#yA4@#zt_FIILYJ#>~LGhwE
z5?J-)PFog&QU=Cp)oUpuE;WC06)`QEz(~GWhp6~~!j_HA$qP-*&uJ&yo~kr=ZVMU^
z!p6I34;2`KPPP}+YcUZZOy*PncIJP+=CP^hu=A}n;5USs3A;5kK1!1#7;8y4PQs7N
z*Z1`_b{^;B1kuF>fa-|@dasu?nqD9=jZa6xtfO9L4Mu7D-_*_&9W{c(-EF28Zx(0$
zk(HVM{AXjxoO^^*Nv~_Ys3y!&SVnHcg|<H4a|ulymA9ek<0VOg)M4PW!PGwbBa2jK
zLmpX@_3Q>g7KjM#u?P^x(or?4%LD+%jqOz-z4Z<YyU~g?57>MYFOP`t;cJ$%_XmBa
z*LQ9FF`@%*3VVI66!Fldtx^%=2vnZueF0K>xDIw=N^eu$>mjr>zqW-sq~<^zp>%h>
zbPfwI(HkD9EYem*J0b$Gl!TLa0`1OwGc29PH?t*9Tqx*MP0{8`Je2UdbRbInrOR8U
z(5FK7ko;F+nyseWy>E0bzV$HB(+qW<{J1xH!Z}r?4NpPrG&XwgLJRd1XC4@Jr}$_@
zOY&~v1YY`hxjiI^wBHyYSw{5iL$L9wi3fzj_|7UyI}mogvxAam^Hx&yU@H;-N?x#H
zYI$(Nk9uf?XB<}!C4%;Oy><AYx1+DWf;#)s0+RbEp6tW8an*I^pY0YdHkqA#m~Zq7
zC~pSlzc`l%c!ewpKRQuYBc)KrN%V8+*Q(}Y)*Tk4O~XTG$5!da2Ov7Wi`@Zs=buml
zuk;G>#!B#gFSS?m%DS%0|6*NBV;N0B&uj;b0nLR8pK~59{g9M{JI3h`_(wu;IgufT
zbY2*JqC5kg;x0_zP*CcW%`HX-`||JG2O<?%5^WYlG&oMr0(glxYcR2N-j24{<>BEd
z9<#r+mT+Bvu2L;!Fc@H=sN`h+8j%bq-%iF3EpV`ji+7+XhQI)x82+JoI7N%7VqO+E
zhe^%CbIzW=y^8C#ecTsjb`aq+<`ZI*z;H)TtSXhJHgY75Zg=0o{nJwbUWELg?WUGW
zgtE%807Fe~18nbdNM~kvYoNY=setj@4rG!JXf{E^$UHtS+81B+#ywp*fW!Fxopw5|
zL_E&)Wa}cdhv_@u1_;tUubsAk3wZn35cD49ES9o=RM^z9F&&MB%^5#oN{Y=eeVlPl
zIBP_Xp38io)6@St_WSXs^fGSt)y^Ese3M$aJBsHkk$jV_KTISH4My!8ik(X7M*RCs
z!pc0{7FGz6nI!0q=KX2VUQ3zvXe+K5r9i}g>uqeLB%&uxm?bEFVk@G@iO(&I+nEJO
zQvL@j;7%t!w#-b3?DeB9M!xd)l@(SJE!8Ns=A1G#x9O(Bub5ytV`Zwdd3XzHWCb}N
z<~t@{k|KIz&gotq<gyeSI~soA_pqV6(xy5=<z&nu2W)o`9(&Z|03jI{=*E0GO|zzf
zJMC&Vzs#~mk!&w%7!bW(P1~ph2|Q!T?9Scb7sx@j;6Y0jS)4h;xSYeZV2Le3e^gTX
z{>K~^WfGR#XTXNGQA=wZ%MxO|G4rO8oMdZcdVp?gJiIVke0h<ijimHUw0wrk-MK=F
zEYS+Qj8eVUY|ca!t{?6dvelE;5KvPvM#72-b}L_@E%dkuVCe%SZ4`jKm{T;FihF?C
z0qCtU1_OuXm?$%^?=#`X2tM~LQc+IIIXd*}Ly2}K69zweTZG~K!<eD)nhr8lUtUU9
zm+NwBN5!%Py5!QoP-k&T+$1j0;KVpRiym+&niS0J*KZUg&l21yAp60`>J{Yk3wgA{
z!Eakd@#%u`tJgo7iXjqz5Soz{$IPsci}U3`vr0OX6)c^VgLj6yyv!2Eq+Z>Vx0nJd
zn|R8NJxrF=$#{cyjT>awCK-~ONZCljJMcDyJtUc&eH9c>v%U=sEHzzS_wS~Q3HHLs
zsKt4$-}FVAGb<3ST|gD*icB(mFk6YErc+Mp-ftR91X{FA{;K%$+`mF5^}ird393TP
zfkqHzfG*pyXeI>T9g<6c&uw7hhf^%~gxEgj)Ie?@tE^(F*fv{tUw!h}oZEyEWmXPh
zU>OQG<e66fq_ve^e}cNtB3nq?#3SaOtII7dIxTG`g1USP_Wu0r3cLeXISM!tQ3i72
zeLN2PW;V{edn;qVLTOYQ3?`9jdH@a}A)9;uCW7b50lJJjZWEb+XbWrv;vUOPL~tQ3
z3is-BgV05-<jHqSpIYhc*Sjd^{A^RJq4kVK?$2J??x}pQ_~!8t7vJm0FNGT9nCmWX
z*MpNAlX&@o_b`|GZ`YpOj`m(yx<k74PZ+sJ4i6ETukKNzHZ%7#)Y*jl&O|QYRq)9>
zX^<vNV6l$!auSkbLY>j5S>^Sf3d3)-l??oJ_1VP5VRjPJU2iLO{&?kaVP9|FP_Sl&
zK(a*P<fH@DFkfeJ*vBjCxOwA$2eo*LG8cUz)byxHV(T9XRqqQ{=MXN$RKbL<VuBVP
zeZV$yp-SLNLPai=?eq^;1gMGT_}#QxD%ay!e)8LH>q8{{<0-CP6QOp&@MC$YCL$+s
z+_o6i{+S;%KwL{2HVp{yw1^qkOb^n<NX*_Jgd|9LmM?;56+CBQ9kOL4{T44J&6R^0
zZ!9~PLp8smpM7h68Je-%QE343{Rp$T@a)b<?6x4n&{nNX;fL&FvgF1|BZ2fXz_LZf
zI9oL}lH{YOXH-s4q$mN37eND?7r`21C2Oxi6^oz0+xd==oE4CMSU(Fj$H6ZSA{eW;
z*3J0=RKtjF)z(?RMUms%(kLNYpee2tra#Mb_ct1az^Ss-t~7wBFbfDUhutKFdtO%p
ziJ~e}>pL{n^mV>8R92{cd+F`OQ;zS<+SbGrqLahdq%k8BBH19QfB*TK&fPR5hG2QP
zj=VtAR~691fn8yu<D}HWv~blVH}m*t8f+*eTlY^;1Xyy1N4X3Lr+;ZD=~7S6Ja{5%
zTp20!5toOx+(``ucmRzYD{Xf~JWH5$1{t{syCMo!tsmyVnr`tQxizX5I0G7`6aevW
zSvo>{)ls8ZU8RyG@a3JFh;dInqz32^mq-R7nYq=XR4Iaojs3Y;TYk&9+zJZigt!dt
z+v6ajyj@05ZL770876%l9{>F5?6Bl!d585(kRZ0Ps3ZW;NBu>Mf@m2plN)!2M30Uo
zWWY~a2KuLj*)z%+_xovEpcg<UnY99>f)8?Hp<|czt%A&E(boN|G!P0#EOha0lS>Wi
zKR}NM2~{lHO3EK<^E%e}BlxJsne^8h8^$3E5@k0QL7=q~m4u~Vvb50GLr<c_7vl`R
zHt1L$$*qBa9?xcV1zfG409lzZboMA=So8voa-T*y&b6#^g$5>{bp(82ln(GES4q|J
zBn-!9I%WYO$P2?2-)5Xa$)jz#Ej0^sPewa#_-6E+bU2d#OxHGg&Kfb8E)IaEb)f=v
z`-cti14G(hG8wRF-AD_N>u_K|1_lGQh$6d+q8Su7!AvM|2pqDqKHgsrenKwl>Y}29
zW~SwB@zAKaZxye7?cOZzcF1<d@<`|e)!6kA;iq&y?0Gv?i#aVgL3d%B_z%2U?^1z{
zeH13bpK-`~8KO$|TkpmhpsI@mkKP&^$x;ELRN82iy%PbF+m&ao)DxTTxh)K!pv?r(
z9eSGld+;~%bel;8VmRhA@p9%Sh_*-^{&|}jM&{m(R@*ESj%NdGYEXyhk`89>g?f7=
z4WS|P*-Rk%dqJc;h|B_e&?9-31O<2r7KTk|Yk(CRBP%?CaR3n__?6%RMEB6HnlWO9
zzwxYSoxoKyUvi2A)t|z&%9=6*AjpI;c<X43fLa5A&V@{$3dkHJ-NQ1W*ln!i&Kgo@
z6h_MkqR8``5r=2|^7v^JTzpntnCE(C6ooQIcTg8&dK`;Tnqy_I2BHDta~wCnF8`yd
zK?>_gj|QkMjpjij0RK!P%uGFyG{^%f)|8SXY)mop3d6E_*jaiyYNwXX)Y1(t+}{0%
z9ola_t55dgN(95)%=bc<RULCyd%&_<`*Io0%Y!dXCBYfDK?k5gRRU0(B>i#sz~|JM
zf73J7%q3No?Ilr|fxVS>w4#f2NT)O(!<Nmifrc~~HUL^U=fv(n;im)z0Kog>6#A+-
zRR*C(&m@G2B=TS|&D*2c&d<aCzCgMVb^r?E&d}@%Omd03J8o8J>Y2)Z2Hl@9Q3#vR
zm~m!8fF|^(`b_3QGqoU;4c$#+XQ!SchCmlSCC0=_e6&tNA7_Ey@Ez3@(Z)*GlL@^^
zm>3E$z+%*Uc%;-RzSb{_yIru>d#2=rbod}<Xd>4=fD03*Xb&C2k%=Gx0SGJcmpP-q
zCR8LxDiTFYH|$xW2K&;Cmo<#v+8!idMXlX1WaAbOL8;q@P7yJUD6}qg;;GLrLwtv0
z`CBz63MQIw%O_PpP8vlMH5`3(c?Xy@CuTe|_X~6iB&zcKRNQT-rw0(HwnE39vlDMn
z>BJB!zHz6bf%g`@0jPv*?IC^7yI<mK{j;&gv_4R!hK4~I1wU@^)y$}qO6qP8wMOq!
z7CdIME~F%d5vUGjdPNm|!rEIX6vP}3m-yTMGBV+DnlAXSU~`w3$tN=C6c6;c1*!<<
zag8c)|4b)#DXC&>z#|}UT4^xsMBEeDmaPaNGkz3c{CsPIF7RNXKD-Fbvu676g<iWV
z(}8)t%09N7CY2V+LTj8=X{(+KosXaK^q)KPfRVEJr=d!q52CI3CHjmmgWR_{2y#x>
zir@EKs+2Oi&LIe6fT*EZn`~#S+6vvtJO+SZK~@EGC^G0K!u`sl6H|{?A>d_GC*Lh$
zq0LJ}Hdr%bfQF%AcpC{tX&nzUquK7iqtbQFgY$VgZ(pVB5zWdUS_D6ajhl>AKCb1-
z({W2wp-z2f;5E&STwi-qcvIRV;jOFh)p}Rrj!^(m$mg7NHN+`R9chl?<4NQs+_8)d
z6w6IC_Tb|-)*&ch@<q>L_!>EhKoJoteqW*D&tv|$NsKY5HGFYnI8P79zA`22MIjPr
zWAVCCqv#xS?Jp>DZ_g>W<5F87e(EW1*hp?5kC-_b?XzGqQO&(s01Y1(Si(0S8+f*L
z${x6eQQ=_xxO?JKH5^-LFEmPxddT{7piBY)^s~_?kp%8Of`#w5!lH-W;g#0D4ik6N
zI7E)qQ!?Wo2F{n}Q?lb;2DXW3mqyw2C_38GYsvhS&>mQ@x>U<u%Sw%B#<Fa(cI#AR
z1EI8NDt|?-yW$}47>)TtwgJrJLiV^TKg8LisN2K?LlqG^5cFk27mrEQswg+C(<yu{
zn(XY4K1#N`RtS%c7`vt`-18GPBnOfW3Gx1ow8e_nbrOf6QO_T?@IxrWH=b<-zHL)X
zu%LC2Z6rMaMSd)C>D<jT7buL@PkgcvUy71yE)31j$JWIStIUl{;B6-r-)DfT_X_pD
zp;qcI81Ci{MtV9v9F89)Rgo<W@2=vb<j1mEWoGV{3JMHE<w6pt24Ul*X<@JDXG<u+
z-nu)D`^&x)r^GtEdoqRPv6;_>a{w@+iJ?KYLk9hvZq9`{r4=Jghq{Q52@1#ny`Z#<
z7!Du&w|SU{my!67)t!~8<HDxl^7Wm^`|fe(xTeXkneAgD4(|eF_<Om$E4Kc^1BJK<
z$00OHC2Y-yi!>J<ir$U<^#7{pZPbSQlt&ZP&|-S3o>RF5h82p36Y#(lDGq}=lX$MX
zPe=_>-eV#5Mo}CvI6Fxfcq)Yx%xt%`1UZvS@pMGJ_&^=8b}B6t7VFO7g3EgAEW?U&
z0D&NEgTvoxJf&E^<J(2v5{mLZMf;4R+xY57zN%b%L5>!uKyVP_Ky!2d<nwX+KEB90
z*p&%Z_+5FbYkr}mvF8t_b)0SvR0MUa-Jz_KXkp=g{A@nK20S0CfT!;V;q<|rzy@n!
ziE{#iUTq}}JFrhr$Q!%DBggNBbqHke--Dxwc&25m$o#W~TPxL0YL(4UHi-Jl;u6jF
z8FM>+GUclIdeZQ9j68A-9w>?py31|O$N#LWCv_Is`~-yg)5M{`9kwNxS-23EDPkPb
z^zaEP+zqz~D#PoyskG3%hu(>n`M{>6qY)eWKYhJ(bfwF-J{-G)j%{{q+vwO%R&3k0
z&5mt59otFAw(aDX{hjaLv(Fy)-nqsa<NfEE_0}3yW7VAVnNJk~(a)sD%8*m_=yY}E
zd0#k{KQMZ{JJRb=mtlT;9lS3{$5{9%Mc@p|brxiiKG<~3Tmgo&eJ@)t;mxBqfwrIK
z1V@(}l;A7gw||SER45|0b+M_Wrb7@u_ywfgnC#cr^GtR$JfFyK$@JJ1C^AOlv#w!A
z<)8scG(j}s7k!{l86``PB-A84kBZ=<tG!GEx&_;)jFv2j4^`7*Qo370+mrLrA84s)
zB<DzAvm*C!+;y;(#Gb7@<1HzxyAS$pW`@|LUiQE``+gzYhtW>HSo9GU5ZUj<f<6sG
zPn(f%Wh<Rxg?3u!MY9b`8_O9w>0(v-4!3f{y5gaZDD#Tk5pe+~(PCvEKZk|@w$@d8
zvpMiFO`W+5teRmk45G#Ddz^=Wi&DuOSAnuP@}^v`ipq-~v(1{r7B^+Deh6BONe$fr
z1`6Noc&$A1S{MbXjqQL4I^Xaj*ir|GL$e(A1(=JX^8Tv)I2rv#sjZ{X<DZ(rn&?wk
zOlmJ#U(q22pX7>*q^@`TCs<DSM`UP>@B*DP8>DQv`9jyy#6x-Wr>WR+SPR|<QQJJK
z;jb^^0O4O;0Jc!0OY%~IW&9GEx5-b`MLebSCMk)SzU!eDl+t8nbON%TWewZwHGDjb
zED3>pJGYOP(h5K^9Wyo>w-RxT3fNo|7=$PbY%DJcL%wrZ;%N6~g)RC<YpH$4a@YNX
zL(FL1ejCm0v9ax<=1>^gAKo~qai=uFP0}w?JIdO(&$sXA$uOdO--p^r>?($+6tp{9
zcpfcFO+EEx&z+3E)N7M#>Qb0x7<X}hlI7My+4cMOSb}5RR1qyZU#~3;j3+6y2~Gpb
zozN^l=F~xC8-x517|3^ccsI2+SBzl1Qk*|!SZGEOQ=AOLwbOwwqyV$r`C<~l3k>90
zvHR<{-ez-)u6Do|c+sA6i!BgAq{#rT%BX48U=ETEA!75USJqmb>T5@U!e^jd*>{L?
zebA~DFFUV*&$d-Im5y5piKtSN<;fb_^jRN`cx6{KSb9I{b2xH`D2ZNfnNZ%=osaW{
z*S6nc&CxkF=9(Er#q9-OHIDdXHUmVE3IC8nLDg*iSmdAM*WR5K4U|<zTC8jko|nn2
z-W;qmAMl|U=x&6_3O~|d#A<Y0mQdpxyc%RKePz01FYZ8*bsWxDW>vdN&5WW?Poo9!
z@iKT|(4D&>py$v$4KkDRo1h4S&~vid+m3=R+}R5bZBmC+B7X>b2S{PZtKFmwyZkH$
z3B)I~O~F^kgz8qGci&>@f0~E4zE)S3>YHWUES7LS&VtKm05#kRC#>RIhCj;3&oWq_
zFx^M&<!TbiIo&S%crDZT)NZz+)_u!?$@!)632{KF6`#|B7+r3dcMS=l;q02UCHCQ?
zE$?tt^r`aFww~^O<~=j>ej(EU<HPLY#(bVewS=gEH^}Su13(JPHxL=-0mGOn=T7!b
z#x{%4K28EDY3i3Dia%$EJC(AD@zF2|zZPt?14@cqH1Tz?Jx3k2P>m1M>uTq?TVyS8
zwLP8mct#EY8NYw$IF5DwULroFq8RGg2Qx)}!fX|_-LrE@;2=hPEIZaz7dXh8zyjJu
z#_YE^Q~@0E72spvLNYt_8=;+>REwp!^Tr5Ala{91NEMv0y&M+lw-ieE>GtG5l5IF;
zk*upEzc|NelMD(|^n+49>T3jGGb3S97#we=|5U)noxO0I;&;~9ik;xBl^TcjLl#<`
zz`V!p9@tQD6<nasAx=q;cXH3s@&tI()P~PY=E`%e*la~xTEmsQXmzz6nZ4Dkk_y1F
zUous5v+{b7U6^}gg<F-CW+>!E=BqsQ`E(g;AM^0Y&=(!yuPwIn3>k4?iN*I;INh>*
z!|myv0SrW`lYcT!d@)TPy=IVo`9dyrQxiR8g0(gDM3k7y6Bn)vL~!%#o)?RHI+7YI
zc@}NL!+;kTUWvQMuhBeQy~$9MW-VtKMxsGSiU&?bXcUPa_DaPm%RQ<a%qFJ%hSw*M
zetc>neo8#aavO(M<9ksywNn*Lc6&I8NH;h4pWTjZ;;G@qK65c3r3F24f|Ss745EDL
zQS1l~qm%E){h}ZfeJf=cCEl&4o3t07nsKr&>gPRXkQa+PNq7!<w2k%|2ro}X`gE^J
z(p2!8Pgk5Z7wu_L>}f+al}w?9jvWi3Lha^c8aowHx^8aI5Mo&Wg?_sCa^-;*`o7AD
zJ1YcL`WU}3A2?gRtSNpfwl{+=RjIDp-C}Pz?#fI(eEDM-hkn}73!%vmgvN9ZEZHe4
z=>^K}q?u6l_nQ>&M&K&FciR-GA=40GmF6>Icvq3%5#<E1`qK%{Nv>+lJYW>lVF?Yp
zEFG&JY#Q>dp{!M3p)MZ`?KdWhwAtVpRwG)xcy0#slU77o=JS}6$;_+KH52wDsfxeM
zem`@@UGNZ*bODP^@>4qV0$B+a3*mE9tA$iUMo%PnFs3i(5X&Lg)bK;mZg6#en0HZX
zu1w%`vVR1MR*8Yv;GJVLJ14o<s;bewv3Ut*uTXUt7v;=FhlSGM0@RTEcO&(B({A$7
zw3)(&UDu4Gkj3u3XYEE8R7mkC<_CHPpl^2OWv><jdtyD~Tx(Y)+C3Nxu(lZxQ<|}s
zoIEm0vb-#PxZ({OO*WQS*fPrW!9hCi9+8Ui7kCL?4|i}&AmZZ|wqVZbBlMg=(zZa_
z_QwfH3!BVf#&nd{fU-Z<#;}L9_(=!6Gz;(XGV&(Q(gpMZvfAmUY@Yu0=|<1Q?7Daz
z##YCN#xFc;R_NJ`-gVPzT$?mEd-AB1%YpY#YnTtF!3ehbHyKR}&02R$mCEDUDvEIY
zzU$n~q)wi7x1Vx$CtysI5f@Me&ugfSm={Yih_fA6bK#4hZ_Q;RN^UC~2EhzN4~IUA
zmpLm_MxE3%`aG+nrIaNDmOmF=Kvc+i`#)T`h!<fmbn0I{m~I&+fS8{;kkpC2;|xCk
zjFh_>Pt|MNwO@pPX;c#>ZScF!Idto)J_MzO4Yi+V5zmsNkt|mWs=XPpFG&?_$zwI8
z?P{yG^fWf11S%jXUREDkQD|B_<Jsv0f$Z!b_eHyi`O|4C)8_0$%nHdA<bU-gvLX78
z8lPwg?@;^Aw!AgT?0akhIM-nEowf@)K2Upy=@21&@cQ2vh8d(5t2(1jOo|daF3><E
zUl!(r_AP2i2QAMyP^@<cfjE)biMLfVGiP<DYMI7<;jW&(_+?*9_2h5)SCbO?h(um>
z8fbrPRMp*|o@yAf24eWx7zD2}E*oMqaSXU|Q`^j)#nXfP!DE7<S3YfoixOd&{UG_|
zt;*>>S-Cf|YbPSF`ugQJ*cmP6g{vEYE*6iCFIJ+0=-UXx;_(1-1fi~;{kZc6*el^6
zsTPRJ^^_yll<V^-CAty0aR^kNdsCNT9G1l<ZanHL4BG{nfd#qLCJSK1`HGdZB$=Bd
zAnDQ99RRm{j4)SGJluwpV}uuZS$VdeB(L2Lr$XI9{|vRwFfP#Pp5_>7S)tTL3p{yl
z=%xI$I^=#vByGlNz>!cbqy`Od<Tr`Eq0!Rd5B{Z5W?x&Gr>AQkD@;zNKUY<ttKrBJ
z40z(H!qcpn(wPue*e+c10OY!G7XP~o$xCis&Xa|Zy>FVDeTVDarCQ~u$Wz6t7`{Lq
z)=C<a4PZkK6yl!2I;OvtAh^IpS1|ogLgTIr&$ZWmMZkEDE?0P?7uK6{hLE>w?+Tfi
z!`{D$QT7&wSK+TsLv(8$#Bk%mx!GiOMQsZ%O5qNeD8%8AIFPlaW`o8Rx;#<K>yImV
zQ3yy4yJDNo2rnM1uNAv#X6Q0|1oDGp`sKU#GWT5^k5=U?HbqlHjXcy5H#67ECPecm
z!0h~@gL4G4n&KSa-%pBzo3sLclZiZ!WfD#O&{}SC#n5QaQmB^jjVAWi+Fs?Dwa|sA
zOnZYQzRJ=Y^syy@n$IvaAEmaEl@or;+wW@&wOvjsfAIPJ)kdG-W5XLF0`f-hcl$(2
zUezuDHR2;A8k6x8TFhMYNTy(LrMc^5<SfdH!k<XfC!@Xg?8BGu`w~e4aTmBFgkJ9q
zXp9u{-m2a_2l$JhDOn4N3gEHv(bO#AsSw=vEUP+Q<YRkG^~~qdw$Ck<v<G2stX`st
zYsgqPp2V)XO<13Tu%P)IA_Tj2J*s$LYe(uxsBpn=IA2$(x#LPypC^HB>MS!F1N6xE
z)7#X2aS!my!awR3%7`UuP|HSRZj3ZI+m#QV5Q?BFWapsfW>QY~)GxGJ{!nv=S<Nbz
z349l}#?D;%Nf6^?T&CQC7QO>Ck>*eL3g;V%u_VHSgr_qR{*wE~ZP2Kj)7%8$GEA|v
zT0Fe+cnxjnkcW=u(qGN-o3=aGc;0BLA41Ky%0e>8*OA7vd#OVpq>-|lIO<%graD6o
zTsmAk#NdZKTc89Deg)qqnSae15c>@dFX8x|>CTBqK#FQ1w5rFf^ukguXsJSSFMy+5
zszgnxI{R21qjidrKV(E4A$p7xNxj=-%VusZo?m6)0VG~*MXS8h9!NA#r&<h-d<JF@
z-}|ZAs}WzB1<Yf7QlC((W91D4BiE~n4PHh@qCTuoj_#6qP05+4K!9%^gx|H3Al{^E
zsglepaIq}F7rL~8+6Za)(V#nzn$7~gJBGCDd~yO6GSMIcz1BTH2OkyGQ4olai_dQF
z`Zyb89+j7MhA1n{iQV@>tFG)AovLYJXz4E08FHGCet9Op<bC6yBlld)!Cb^*CXr2S
z-iRXheIZ4eCL?D>TWaUM#t3OB0m*wD&K3x7<4wf-22IzN{^ABZ%Md+SP!g`!?gwa~
zEC_OoJkiECF0P9-rBeQeqD-edxbFeeEVh7@-cjq`bJ7--B%48td)pBe!;#AkjrBHI
zksoYPvJICVw#s%ksG*_cULI$s<b6Qv<MZws$!sjEWMtCg;y1<`C<xZ0wzmHK_pqe>
zP^K(VNPS{PyT?N1EvU-Uo|-2bUiaa%Ed?cUJ5Vooyc@(x2-m+qL3OReaLrkK55Cyc
zKoTN9g{uVh{J$9CpPzD4kWeG8&5}VhKwo_9|BKL#_63y@Q4*k$_$f+fXyah?bw$I!
zsQrnv?UQBFC=gp4<uz=0K#&7_KiG-=2`C^lvXCIa^!fQAJ74&WKkd-Hqb2}#H&uHh
z8AgJcq$THrc;+h=zsm_((!N1xs^u+Qf#plBD6!$l-Z&E&9sd|cH(LO#w_2(SsqU68
z34uCay~KPPs|Ycr?SE9+LYWrF21L%tCIObt(Wf3vu3WaWc$iN_*F?RCt!O)8D&@1~
z#Z*V9G!Rwv1O0xT#UNdR(!4(_vr_86C(&NV=j)d27?|NV)z3=gE;rsfrnzs2Oacbf
z0u&cdAMAJ!#{xFC)w7be&|tO{xUY{6D5NA6s>YgW%WOkzAFa$xw%isQ8I0_|MXV?u
z!J%;bFV3-h)<hP>%~#1Sh;@ofAJ``wtU#{1F8a40P46*FwsdLy(INQ!{nExjk!i4j
zTD8W&5Gwc3gjpYBmLFzyC$Nfb>Q%+6{iQxgoPcTK(krAHfO=oz8tMsa`dg4ryeO8f
z^6e9j+)Z=48gL-JWRfg<gyX8ycr12{gsw<w?)5AriZf!cM-k@RHFpHi0jJWJv~dIG
zb+P((T#6w9gkK`n*F4?`A5HNY_tg0&)<h%!Dv2IkwD^m+cHKCit>`k9N@Yf##iku$
z-F+?%>i~T_4z-Dd2Adii$HO4?9jm;`mE3JQDVpkK&ZpBzK4_IvpqOEF$4*;hcL^Xp
zGbRx=S6z})iKtfWOBKc#17(9801XHE=jJOQbz>Gh&g#?!4^n=<P1nD8*C0AKJ0{{u
zl*;lhNHrww=6!>M_yqs2^_Xa6G9dlcs{r_FIr!fj4F2j@_|Ns|U}iF}?7^OBhM(;c
zJxn-wtVkB5kDBc=IG)<iNot84r?|M78JcQ`5igV$Cje={b;O@KTKawDS1d^$7A|fx
zO<X0~GNOd%62PT<{r%zP<F)GYWutrJ^<{m^<Ne~W^WybF|NORZ24-524+l<|U6J6o
z>0W*;;`cC(@K{huH8<qidRGl-e-s9&SSUK+8?{7qtOzl8x8Gxa(Qp)7*Kpoiwx$${
zQ-1iElQ94o|7Y$$IH{vWQdj+(Mb2<+JdfhM<moiTM{W?1*Zyt-?%8X@sd}vFI>3%b
zkaDgQ;=H<gqsHmMpFdfRg0F!Eq@as{VD*5zxHTIS#eD+#)$VlHW1!&B9_OMoGHcRm
zFcbQ=Z}Y}~qw(nv#=!Zj`lEL1W^fmjq7BDH?bKQM<kvjw^9O3(548u;LnT6$`U4Ra
zfG7k8BC<)o!_G0%X(olsL#~M0bggpUlMR;nVQg;VEKR`}={T)F$UMi_WUFL-$VT5%
z${Mn@kd}Y4$5eKDSO;YlZiYA%uZ;e{5}gra#p)2lx>zPs^{|rCao?1d@cm_b$@6)I
z?oq*{)lHYFI>CYVmMj8q5zRZ*<Z2c}prx{Tj>31d=W*P^-flwzxDz}x{8)zw7TBe1
z^%K=PY$<u%iKg&g6!f5xFKjXqQ%P4aPO%?W{w2FmKjM#OVWHr=D!!As*Uxz0=B;Bk
z93Rh-LfLwlT@FVt(~xU{E(bZJ9o|=qCN-hO^I+lCDBaGhzlFv;PjV5%_lnv#(CQcs
z!rQhg?olnv-|C(8Swq31aiDorcPnt(bxDMIrk2iWWgZ|Tf%I8qUZiT?-<(jtB&qhp
zDPF?+-3?qg3$x0c!Kr}O%k&QHI9$W99X^;Hf-j$+V*;{$4i97LcNE=-w|9NvXtB-0
z;e>qBNs(3J9X>;-iMCC#EZJv#aIHB9adP_-I!f-lrGu!)fZqy7NWQ4u;Be6!YafEW
zvlmy+E{-$Hl<o@FoSk-it|jZUr-@|n<*&iPgB+>ZrZcOS1_tF#>C8lfKWl#&XAJBu
zj%+PmB+B~JXq=cf>Gasp7p06NvlmozBD49UX)fF9E!Bn$6PmeLto>BilN_8zN8UT_
z%*Spos$(gjfF*?GI1vRX`H>=SW(V>afWQS{`PGA!2uy*aL<tG0rxW#sFjc@{)LIwR
zpaOb-$?1+4lt(TKms_lOYINncyu79<Vyzd&A8e}~AmsC_QD>ay2R-wrW)yfAepFWH
zTKb|}D5yJY<j9TdICK>8Q*gIG`dGRnfdMnBc(?z-{66(Z$dp-rPA`NXv1@VdZL`v3
z(m1`ISZLyRtG-@>G#+p#a0Q($kUNn-X2uk<ts979np>Lxk@y9^tUoHz`ls}h14<r%
zcKyKZGxa%8gQxOjCx67qAqHHB4j*3Iw9=wJJl0*pxvJS|YU7aKb)&Moiovv09$|e(
zMo~yolY`y+v+kN@;|2ZXaqtD6mU{0SYZ151OrJ6;Zj-A!n(m&%$*<PNA-{&ZDY(p`
zK=*gzp^WN{w34+vEnLNt5o=#0uKoHuC-~a_Ai;hu&Gh$9f~c~Fwo451UaHIN8+C)Q
zS=lN9i>u6PXi7U_5zzP6pInEN+Lzwpe+aO=a4kkou)U}-0M*ePrM+%OYsAroYU4Ip
z6`oFm4{Zu!(d1f{(_If&4`4ax<T|q6oQ}B%C(QZvI_62S-CXl@tDX}RRfRLFid`d)
zr<6?$Cu>&aP~Y3-5HDW(c>TMPaq5f%n;%Rd_7@L2p2=B_bYNnvALZX5hr;~xRW6sT
z6)#X=n8Z9zH5f9^t9}3;6SK;nJ)6>VWy;=4Je8HJ=h%HuFG^GhJN2KnY*J&*=3FX&
zQy;7%69z(qj#Wi(pi6joelNjJaMY!GA#`kXM#~-{&GnuUMc5>SK}8W|f;1>XjvFiU
z%*q_fva&bLYiX#W*j>ec-OUr6{t3~CMG`sW?Zu+d@=TSmZ{%TsileT6{R$c*(k1ch
znKzSVekg*6TY<>2?E&in{=D<t$Ri|3g%ZcYu{_o4hX?X+U#57-sv79ogwo?!7WMe_
zPl4345MD(nq#5rc90EanU?RY81Fumt>v3D}I$Y$JCHVJGN=pCa@6bIYK%i~lzD7<`
z5cJY{pD=#(?^BZA;P$Qs0k{>=^F}}+ss>m2ZXm|=vQu2C?XW7qk`eZ`&brC|*ZfZM
zzkYWsy^~=VibpmV)c=u&PqUKLpQ9{7lcritl+ag@E=9v3%aVpEr~@$z>p|G6W&ir$
zn8$+F-|y<kCBPZQ^V1=AmTul{Xs3G8p{_R1psM_{ckVsnaMHAb8-sxQ^Fp(s%%Lp+
zl-d|Mz{`8wwb^>LK14vY)vLm6a`jAKLX`O@5jFVlJicODTIj9rf(u<DmjQzUbI^%`
zZiIC!Mt`ambk~R`TQeNmEYThN78KSLI6bT^qY;C8H7%;7aR}xz%q-|5oK)kHLPeTV
zKfgWxBGROO|1>`UXU1>BfbQo?pA>~+TwEli74(=sYYov<Ly}_h3?}9^)8UN$4C8Rp
zvCVsM6ff>9G1j<#)AGr6C_C0f6%7;SnfTTMd$GX^pYeetmiCN;3iSXNwp3LUasX?G
zN-FnI2~9RD?JISTkEQoSMkXw0zI}{chDxx(g4PADomZ`(clmX(nGZ{zQO(+iT?eDs
zl6Bt0DgEoLkl^Q9A;MEVLPohcdA)2|ltEDj9k%9v^i4a<Xx&~$8F}H)#%m-m!KlMW
zo-$s!jfrI@gh}2)u?{>1Tu0s3xS}19?gN>O3HYK|a_2TImpwcuyOu~vTnvu%cb$Py
zhpQEjq|>T{^5y~iJ`dcCJl>`GHAbcqQ<05w%=qMH6&UHLXGp;kk0wv=GebnT;jN$t
zegA_VX)c4ML>avR`*mTLzL@06WZd?$S5k*Vx^x1#GwX(>`>fF)ww+7~r8GGeEf1ps
zo}1*MIku}2#?GphnOrBevL3f_*2#32<L*?+WtxwYl}2^U#AGWZ_uTnq<h+#+hsS+t
z?wv8cB{mXbQIbP1U>2XFHgwyW(L=74inx<ro_cO;=6MM&v)rs-nI+<#HeVRe+;aYi
ztnb#FxSZN#n3&y`7Y@3T=@N^aA>(Cm2Lq^FjqG|yT-+pc#5T9alAY%$=i_f!dvnPL
ztp|}xI3Cq=ZVpTuTd%C%Th@bVdQqObtD|gT>W{6}oy3~$KDN#sT*faCtWx2VsLPKR
zBf`+LZ9>#i2*ro=<}pi8gA<xuZPP*rIhJ>r373|*WGm*lEN>=XXSsjHB1Yq6{+(Z)
zt7LHh*Vzx{?`OaN3PWhEj1%X^s>(QVAg)?vYY#+4kP?&51X?2qbXqu<OXV(53QcE<
z`50btrg|D7f2J2br@!4a`oQjR3lw0xm5{mxbaxjS8q@#j!SeFS(o-t3au~R7Apqr&
z%@L3*l*w>Wm+9(;=S<~I!5l)!ex1n~e@scD59%&|NF+w4;9oo=H?KR*90+*BdTYHJ
zZL4fbW{ty#IjvjD<)OYgz9v9V!wZzb(4SPwG6eJdDeLo2fxUF~7We;!B4)D&txjyx
zowB(Lac*tWomVm@*9sMV(3eg>wZ;X`v2cwi-6ph!;(nAv;^{n|*i)6K>`S4uv<S7l
zHZ(-ua=*@Mz;p&KEGwFDr~-qXha7j+ju#{~R?RlNy2Ytkrj1;WAF?tCwPZBp%*@dv
zy%^WtgX}{t4n+xEqXY!FB1MNu476=(F!<y&v<c_2r5olcFIKd7$c_<bWGw3gZ>fY#
z+-(4bdS=WG1j)~671C+EU$Wt#7xdzfP!G~$tQOb%-*y<UBOD45W*3D%jb=n%7-cBu
zk?cff@k$-Y<jOZaB$FP(q8p4NEJ%a6ifLnY0U%e`rABQq*+*@RETmq<+UOhZ;O|Es
zrmLbBZyu9_SsdppPA_DdHC&RTdx^Mjc7ltXB2X2#WT{UpYMf)O8=%_Ut0g}6J~wVk
zdI5qnW`Q@Zj@EfIw*clWnjw=+Z($lX1HBx7GnoZ9;ojtQOTCNM%DQ|TCEs9*&g<rg
zk{hgH6>5)DRYua{ePGOA3fT1?;ov$CQx_5Dl<*jptS2PqP*|UjTlh#z+#okFBJ|TL
zW%U6_GP9yqb2qVFNK+qcaET#XwC0)$KarjLhG`aoDoHg#qfIVe)JawQb{^P>M)-cv
zhe{oY2PSKsw-VRx)U`i7{sdPT?>NT0H8K!`V^)_dF^;!SI5TeDsW~zSk;cIi0mG}x
zA>8HY`uy*P>*C(&w%M<EsPHR7`rqRr<p0<cHtuGYmin{~#xRr8Q&QBFG?EM7q-dxn
z$EWHQ=;xWXU><Cl=bc8RWxp;3yq6gtla`{PtyL(I4yU^LIU&OecW+xY4m)){jc_Mf
zFFrP0Z`%lN#=ywZHxH0INi>VwIZd}zH^9L}JiyVh2J9)z$L^RZBxhCU=ziD2Izd9k
z*+x3iwj3J(|7r~X*T()dPTUXtdd1kU@BcoD|J>OB|0L`k^ygFD*b`qjht`=4H@`2}
zMN$(7y$)jZ$v4%_2Lj56Edd!wLUl%>Ov6<_yBi4dQD~slgQ-#B<IvP4hmxI`1?Q2b
z_V2igC*3CRxqWz+9NsTJHy#h)JFBN&yDp~Q+jt3tU=R@(^_Odt2Y?0Ccn#;oVr$Ld
zA%J4(DJXing+SmH!9=<>eLaJp++qoB;Q$1dx7+kU5XkZCIo6L<k2g>hAH@iWyN961
zBC!+{)IcsGP~v@B+61I>c0!@zQoAMc9|8id1uQJgfmq?i&x(|>yd~}Os7Z@2`Q~8`
z!kj@065IXXKxYRwV|HY(h1z0;h~L5h;;{37*nv`1;9pe;cL;g7!-NY1kHLLB0`XYp
z5fng`KhLBvV%N{4qTq;;X+CNYOM7#}Gh2Y6Fntk2SwIM{YBF00p#&iQ_(;WOzb%n`
zq6yB@TS$qcB`zcS&+f3Bvj+t~789($jgS*c$h~Q50gr8F_!kJ2+CYnR6~7R(YDxcC
z0h1!wkq8#nW=4uwWciJa>~w9)t+DhcG;jzD>j?|llcAOXwCQ{Z{oB=TFDAVNZ!9pf
zAA=syX3Ks^JC>9c=cto~EUcw&Teei>H<u67LuDm><U~3a;~ZSFbLKRzusqv)KAr*D
zR-SYFtM=@iI}N8Z$B3HUcf>}{5_;xIUUO?>H3RA9b$Q})FN1p+ryM_y8^uBp&&hj;
zx<)ZLXGwqbn{cG;ouMd)I8ha2ylWWokCf7nhkn~m>*xKAr;uj>8)tX1Z`#}R#E_k?
z0m#tkgLBN4eG2KUx@-g+GSBL;O*U;e;mAw+9GQi>yzS+MYlR06(VpkE(7(MLTP<b2
zczMI*<{1XXe=4s1?V=B|ri#Wo?0Uxueqe(eGrR^^g=or-cz0h(>sb9HV9J*sncIF7
zc1|Cdd3|vCZr>n~+Wr>39ziKD)oJXNNo&nf+$7Pshjht)S0v>kaG1aS=K&V;9krtE
z@VfF<u*cv)=Cl*`4U;jCDuC?Ri8ntC;T1f@C!BVS;Akd-x`R%h0zt)OK4f(*RB&C0
z!EEx$oecXBm6&IaB1ht!`V4OeDxy8u8k6zB1F=xUX@GCFhCH}#SX%RBrJlG1Z$E60
zg^miYENz&t(q5!h+sdL&yvAzb!=BuDvmtUtI=TQbmX6Ra8%Ur<#?)}dk0#r`NAaQ}
zLM!v*=x&+LTOwfwVOpTpAjKTF7^RPj=|u}0NQjiuDeCU6w(DntZ-=owFEmvCc2s>(
zFEFpK3?0O=NNym|nzH(LphYAoc4>ON#Et26C<ZxUe$x=3o+&!0kbp95wgse{T+5Eg
zv#QO+#R2C`&DM_nM%wmgFOrXM=-f^Ev4XC?){#O0xUk3pj93W(bDSlVAO>}BAU_G>
z@ZeyuFrr~a$UuPF_do_h!zh_ZFRyQ2*JOhbU{IG9p`>{d!CQRNN1GqmS5ehZZL^%!
zY`GdqNW(C8zp^g}v072i8?NqVo1<lAJts^gnVj(0uWi|iiHr59Sc1{EIGkuNNmw(6
zwj$*qw5#)ITh{8=)=J^K)T_spDXTnvZmPE5*o`r6Rzn0`EwwS&i@D@-4puu}EuTv)
z!79k?2^V0uX(I(X-vJ}8t;?c^15x3?U4xXxwDafp7|~lVEIc^hk!I^jay<t(EZPiR
zEV@5saJ}f;=CKwzW0G6+Z_oxp6m1PtRw4(w?BV4a+M@so+(nbD@Lw0FC59PXUP_gB
z&T2G1+!o2|m&UXohIGvN>Y+bZ8w<^dv|HpYHJaG>Rc@$ZoZ@km5b|*#aoXI`*BVgX
z!x2$OT+Ozf9{4$Io0O1=96cErU$khIGE)9gna@rp&Et4gsi*g<WIUHy5V4R?potAR
zR}LztWKBQpU=rcUg&whlouJ(Y_k{LbM<9EU{*)<3IkrD0;jmKr=0LA$1t!S%u;#Tw
z)lTW3eg{h|`-JzKm?JYoYyEn9wCY%Aaa$M317XgFB5su!>jvYzRLWB;B;~h$kQr|{
z<5^a7h*c4`&x(~5C6bBfp;hw_3#3;|vdcw4&h3Q+c3h7MWzM9fD(u=ed;8hl@Y_7-
zP%3qNXNyNRm(f&UdU}i;G4&AYg0~y^QCY&T5pWejhYhiET@F4>^|eJXMldG<h|gr3
zP(Pa;<QFb&gHPG*JQymUfCx*9B*{6_9Vej==F^>kQtV;h>0BgJun%wCWMsA{`47n6
zOCQkDz8zw43Cu#{0cuytAI-;o+l8f2_3o8Ny$2-%f{0zS+kd(|@_M~wQ6PQl)eXDC
z8=RzLF*T4&E?TP0&32xTU-lP0jPAAipWm_Y_0#P_0?RBA_Q?<`)^27CaxS>P-&kb2
zwe_|7vy?`lzZF9V_fBlHg^CiZcv2NI7C(qib#X5Z7#bmrL)hAgb>%wG?=oZ2!hU0e
za=yiQcZm*>uU}j(ZzL&yjW!_-Gr5xlQ<`1>u|ccj0kF2-+GodZADvvLQe+aRgh%Xb
zH18(4n>5OR@F5<oeqiNJGVx&&?lDcs?(40$Uu_<BFbLN4trcC=bKG{$?9{%d!g@Pv
zC@=4}25vb~uhLVBTse`~!+$y(!Mv2iVfaoQpkCM5r7Ua}KWZz(ZRdC`bxz}-Zs6~C
zsCU6aGk{t*FSEOxzQ<r4-TOZA?L7QV!(m#J*|wJB-f5QU+`L4;e|qj#s<uA~?dL^V
zt?R@Mt=;`0d!=B=&`1RIt;Cyg%#E607O1z*jZN0v>X<^AYNd~;h*=-jttJZ}v^qRk
z7jgsda)<MyZ9kpU&5~pn$=Z=|kw*awGxOA%B&TEB$Hj-R6ORhFVtwoO%x~hX<l6D!
zrRML;&i%Av@Ab?E4!|Lu{_bO?Z75wp8Hy)Xt1mj&Tfl7OyCqJN%9jJ9g`Gd~8<Ful
zJv!g9<uLdehk;Ua|3JVMAiWXb04;vPVDJMazT?tkzf?yqV~`m^2U73kKnrz0M+w|{
z#(J~p9PpZ~1gJ1dhs{&cwdPgXC$!w^B2>*B2Ni$jgk%E)<^J-mK^TMAt5gGq3QVpT
zw8Nt5SJM6Lj>+als+NWOHVaD#834(;Q%Ydj%d=D=Kq4d(BVIT?jFNsac(r4;{cErL
zN-pWw8z1%uaO#j&w$8NfpYdL$HMg!7r+e@Trvj6+hlF&MdSvaYvmPF_pUWl{${U?3
zpQXJv$Ylr?yA<t(u=%W`9vWrZQp>mH(uZsOCok?7rl7Z|$dqdGiDq|Ya&5!!_Ay=0
zy@>^T)$F|iu#B09tTMa!jwG7XNe)B^b*F?~{M*z{1I!@hzLU)>>41gf=0c*<L2MW3
zwSz^M%ZNpqYiP*stl5Hfs&NV$hHv)^)>7>k3HW3`|1h>B#E}I8U;J31uoLSqq$#jF
z=T#wDF+IOBcy`Se$$Fwg*UqJibDopV!EnjR92wZ0RlrlC-EHI0HfDG(_UEp@cVWG^
zhI!P#7_&WVZ-rg(8Wn_#JP!i(cj5u15_=E?<}#ryVq$lUaJX0*(<ZGVn!-oOjfuQz
zFy+heV&);6ktsH@eYMEG;?i6U13V^a`CK*DNQ!LazSRpCqSR@wMw|iaTPsd~jd1OG
zBt>e2HX6Aji8+8Mp)pIl`y79=@J{j!y83k7gr<_`)M@DnY$&5Xb#U)^WuR#b2WBwf
z)Z)OdYHZgoMVmCA5(OhA&0`n6Ki%pnsR0>O55Cesyg^Qt*|0**Y!>A!eMkQiA{`Fr
zJ@p`T3=g|Ldd@4Q{c8G)brY<8Y%u=(b39aqW(5`q=+z1^TuxbxF9pI$%%=CuDVcSm
zWWc0n1CR^Cu|oiQzUc!2&HngsxVr6oc^c|Uy96Kg;R6rx*5VT=yhQaDzp?SaF8SyT
z_XQv^#)0STt#Pm4`u`k8+*Lt8ByEM5<*TR%;`0aIojcPz)@pN+=hCN*P3}62JC@JH
zB+F-L`@Y#+iHJE4AD0<7p*dlGe|G1$&wj~$g;ZVY1($U36rIp9t8!P^{NO6Cr77df
zaa?Gf<s1^vHVCKD<#V|^uf6%+CN_36ubG)6^N3#^%HE5IOTB;KSgz+lYo6j+nT>bv
z#y7{c=^dbaviY06=ki|OIzp-@<xSdF+2%=Z_J)Ku@J3<i-hF%istKJq70m8_I7p-;
zV2){4CzfE9w(Srr-Iln{ypzFj=<F3$#sxgh*kvBrsy&Y4&-~IX(JHz0E=1Td5d(ga
zU||TDY_*O6%l_zag$J2(Mcnt9V7ufap5V6ZGCUFG&R2i1ROBxIH7?`p`i#qh;p{+*
z?i6?XPcwIq;d*DX3c|jtpoNJPbXEKZSd$C)0h8`=E{mzc$aIZ+YIU%~)_Ii_^x1pP
z9n>9#hy~O;o<0do0q(gU!x~{GIkBL>HVl9K`MoN#k(@`)GAnUZQx3Bh4wAuN=*H<&
z)<4>pw2j`OU-xXc^Su3=RXW%ee^pp|(bpxzN}11Yr!P>$%u+{7xBi+Y>zB99)@??x
zIrDe6<y@vRLY+|#L_~5#=9+rHh3|rbj-gl_dD%MWTS1+)Ycuf<4H&!*o=UM!p$__t
zpFhIJ9du5jYHBu?5?Eu}WN6pB(P(p7?G2uveg3;pck*;E8viBo2L4rxlam4lK>_-=
z7MRW8(24*H5Ks*fFwkE*aQ|rr`i2%J_BKw|fG=IRe?qsofzk}rfPkKGL4f|M^8MR9
zza0Jt^s5GK`%gHGhbCPdArR13`M)&E{td^C1_JsLAagXb{!5PTpSZtk+QI)D^!0R5
z{de5|H0IwW*8X$0t=s?5!29R0f0tAH&)FL9{tt?5|Aha&c>kB?+P|&w3;usAu>I55
z-wUsQmHYo~!AQXWD7OAr*6p7@{+_`5&*`9{{L{x*!S<i<zvnvsN(TJfzT^E3{$Hbi
z<^2BX;qQrtzj7k~HZsD$d-(4R$v++ZeO3SGE1dpM4!*Jza#G-b$<+bDeSO}(5;fg)
JU)&0y{|5&_dyD`8

diff --git a/example/src/main/resources/static/files/web-eid-0.9.3.869.pkg b/example/src/main/resources/static/files/web-eid-0.9.3.869.pkg
deleted file mode 100644
index 2422585..0000000
--- a/example/src/main/resources/static/files/web-eid-0.9.3.869.pkg
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:aeb461c229974e8ac77863adb2c44005e6de97bce0d91f0c06585cab15897f10
-size 16356278
diff --git a/example/src/main/resources/static/files/web-eid-0.9.3.869.x64.msi b/example/src/main/resources/static/files/web-eid-0.9.3.869.x64.msi
deleted file mode 100644
index 61af046..0000000
--- a/example/src/main/resources/static/files/web-eid-0.9.3.869.x64.msi
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:2fd08ee1e391963cfbed560a0a264ff0b1dec49b51a2aa152990170e693e009b
-size 18817024
diff --git a/example/src/main/resources/static/files/web-eid-0.9.4.76.pkg b/example/src/main/resources/static/files/web-eid-0.9.4.76.pkg
new file mode 100644
index 0000000..7787ba1
--- /dev/null
+++ b/example/src/main/resources/static/files/web-eid-0.9.4.76.pkg
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:78f7f879bc0e2a23e5cad20baa82b69eaba06710d8259516e9f13e2c482a49ba
+size 21001267
diff --git a/example/src/main/resources/static/files/web-eid-0.9.4.76.x64.msi b/example/src/main/resources/static/files/web-eid-0.9.4.76.x64.msi
new file mode 100644
index 0000000..d95fd64
--- /dev/null
+++ b/example/src/main/resources/static/files/web-eid-0.9.4.76.x64.msi
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1fd96cc362defc7899d44821fcc9d72dcc29a6ca6674747158b32774d2d99e7a
+size 18944000
diff --git a/example/src/main/resources/static/files/web-eid_0.9.3.869_amd64.deb b/example/src/main/resources/static/files/web-eid_0.9.3.869_amd64.deb
deleted file mode 100644
index 1c9c408..0000000
--- a/example/src/main/resources/static/files/web-eid_0.9.3.869_amd64.deb
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:45191ae3e12f69f457e74afd5b852104f4099adb7a6861b011ccbef671cd4eae
-size 113064
diff --git a/example/src/main/resources/static/files/web-eid_0.9.4.76_amd64.deb b/example/src/main/resources/static/files/web-eid_0.9.4.76_amd64.deb
new file mode 100644
index 0000000..058cb88
--- /dev/null
+++ b/example/src/main/resources/static/files/web-eid_0.9.4.76_amd64.deb
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a6711039ec2ced20ad2b78e80d9df1dc7839b57a1fcfb4f8f49a0b44ffe1d440
+size 146324
diff --git a/example/src/main/resources/static/index.html b/example/src/main/resources/static/index.html
index 4ccc697..0c9b48f 100644
--- a/example/src/main/resources/static/index.html
+++ b/example/src/main/resources/static/index.html
@@ -37,36 +37,18 @@ <h4>Testing</h4>
                 added as well, but it is not yet published):
             </p>
             <ol>
-                <li>Currently you need an Estonian eID test card for testing, and
-                    the authentication and signing certificates of the test card must be uploaded to the
-                    <a href="https://demo.sk.ee/upload_cert/index.php">demo.sk.ee OCSP responder database</a>.
-                </li>
                 <li>
-                    Download and install the Web eID native app:
+                    Download and run the Web eID native app and browser extension installer:
                     <ul>
-                        <li>
-                            for Ubuntu Linux 20.04 from <a href="/files/web-eid_0.9.3.869_amd64.deb">here</a>
-                        </li>
-                        <li>for macOS 10.13 or later from <a href="/files/web-eid-0.9.3.869.pkg">here</a></li>
-                        <li>for Windows 10 from <a href="/files/web-eid-0.9.3.869.x64.msi">here</a>.</li>
+                        <li>for Ubuntu Linux 20.04 from <a href="/files/web-eid_0.9.4.76_amd64.deb">here</a></li>
+                        <li>for macOS 10.13 or later from <a href="/files/web-eid-0.9.4.76.pkg">here</a></li>
+                        <li>for Windows 10 from <a href="/files/web-eid-0.9.4.76.x64.msi">here</a>.</li>
                     </ul>
                 </li>
                 <li>
-                    The installer will install the browser extension for Chrome and Edge automatically.
-                    The extension must be manually enabled in Edge and may require manual enabling in Chrome
-                    as well under certain circumstances.
-                </li>
-                <li>The installer will also install the browser extension for Firefox automatically in
-                    Ubuntu Linux and macOS. In Windows, the Firefox browser extension has to be manually
-                    installed:
-                    <ul>
-                        <li>download the extension from <a href="/files/firefox/web-eid-webextension-0.9.1.xpi">here</a>
-                        </li>
-                        <li>in Firefox, open the Firefox menu and click <i>Add-ons</i></li>
-                        <li>from the settings cog, open <i>Install Add-on From File</i></li>
-                        <li>browse to and open the XPI file from the location where it was saved</li>
-                        <li>When prompted click <i>Add</i></li>
-                    </ul>
+                    The installer will install the browser extension for Chrome, Edge and Firefox automatically.
+                    The extension must be manually enabled from the browser extensions management page
+                    and may need browser restart under certain circumstances.
                 </li>
                 <li>
                     Attach a smart card reader to the computer and insert the eID card into the reader.

From 91baa012b36acec10ad42eaa0a39b1bc1c722062 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Tue, 23 Feb 2021 23:03:19 +0200
Subject: [PATCH 012/116] feat: use AIA OCSP and LT profile during signing,
 bump authtoken-validation to v1.0.1

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 example/pom.xml                                 |  9 ++++++++-
 .../webeid/example/service/SigningService.java  | 17 ++++++++++-------
 example/src/main/resources/static/index.html    |  4 ++--
 3 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/example/pom.xml b/example/pom.xml
index a7f8064..2023ab8 100644
--- a/example/pom.xml
+++ b/example/pom.xml
@@ -20,6 +20,7 @@
 		<java.version>1.8</java.version>
 		<maven-surefire-plugin.version>2.22.1</maven-surefire-plugin.version>
 		<caffeine.version>2.8.5</caffeine.version>
+		<webeid.version>1.0.1</webeid.version>
 		<jmockit.version>1.44</jmockit.version>
 	</properties>
 
@@ -80,7 +81,7 @@
 		<dependency>
 			<groupId>org.webeid.security</groupId>
 			<artifactId>authtoken-validation</artifactId>
-			<version>1.0.0</version>
+			<version>${webeid.version}</version>
 		</dependency>
 
 		<dependency>
@@ -137,6 +138,12 @@
 		<repository>
 			<id>gitlab</id>
 			<url>https://gitlab.com/api/v4/projects/19948337/packages/maven</url>
+			<releases>
+				<enabled>true</enabled>
+			</releases>
+			<snapshots>
+				<enabled>true</enabled>
+			</snapshots>
 			<!-- Github Packages does not currently support public access, so disabled until it does.
 			     See https://github.community/t/download-from-github-package-registry-without-authentication/14407
 			<id>github</id>
diff --git a/example/src/main/java/org/webeid/example/service/SigningService.java b/example/src/main/java/org/webeid/example/service/SigningService.java
index b94043b..0a48486 100644
--- a/example/src/main/java/org/webeid/example/service/SigningService.java
+++ b/example/src/main/java/org/webeid/example/service/SigningService.java
@@ -61,9 +61,11 @@ public class SigningService {
     ObjectFactory<HttpSession> httpSessionFactory;
 
     public SigningService(ObjectFactory<HttpSession> httpSessionFactory, YAMLConfig yamlConfig) {
-        this.signingConfiguration = Configuration.of(yamlConfig.getUseDigiDoc4jProdConfiguration() ?
-                Configuration.Mode.PROD : Configuration.Mode.TEST);
         this.httpSessionFactory = httpSessionFactory;
+        signingConfiguration = Configuration.of(yamlConfig.getUseDigiDoc4jProdConfiguration() ?
+                Configuration.Mode.PROD : Configuration.Mode.TEST);
+        // Use automatic AIA OCSP URL selection from certificate for signatures.
+        signingConfiguration.setPreferAiaOcsp(true);
     }
 
     private HttpSession currentSession() {
@@ -111,11 +113,12 @@ public DigestDTO prepareContainer(CertificateDTO certificateDTO) throws Certific
         String containerName = generateContainerName(fileDTO.getName());
         LOG.info("Preparing container for signing for file '{}'", containerName);
 
-        DataToSign dataToSign = SignatureBuilder.
-                aSignature(containerToPrepare).
-                withSigningCertificate(certificate).
-                withSignatureDigestAlgorithm(TokenAlgorithmSupport.determineSignatureDigestAlgorithm(certificate)).
-                buildDataToSign();
+        DataToSign dataToSign = SignatureBuilder
+                .aSignature(containerToPrepare)
+                .withSignatureProfile(SignatureProfile.LT) // AIA OCSP is supported for signatures with LT or LTA profile.
+                .withSigningCertificate(certificate)
+                .withSignatureDigestAlgorithm(TokenAlgorithmSupport.determineSignatureDigestAlgorithm(certificate))
+                .buildDataToSign();
 
         currentSession().setAttribute(SESSION_ATTR_DATA, dataToSign);
 
diff --git a/example/src/main/resources/static/index.html b/example/src/main/resources/static/index.html
index 0c9b48f..d3502f8 100644
--- a/example/src/main/resources/static/index.html
+++ b/example/src/main/resources/static/index.html
@@ -33,7 +33,7 @@ <h2>Web eID test page</h2>
             <hr/>
             <h4>Testing</h4>
             <p>
-                Instructions for testing in Firefox, Chrome, Edge or Opera (support for Safari has been already
+                Instructions for testing in Firefox, Chrome or Edge (support for Safari has been already
                 added as well, but it is not yet published):
             </p>
             <ol>
@@ -46,7 +46,7 @@ <h4>Testing</h4>
                     </ul>
                 </li>
                 <li>
-                    The installer will install the browser extension for Chrome, Edge and Firefox automatically.
+                    The installer will install the browser extension for all supported browsers automatically.
                     The extension must be manually enabled from the browser extensions management page
                     and may need browser restart under certain circumstances.
                 </li>

From f98f208a42166123b088bd80d9e5bdaf12c6040d Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Wed, 24 Feb 2021 01:18:59 +0200
Subject: [PATCH 013/116] feat: add a static example text document for testing
 signing, disable upload (#2)

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 .../config/ApplicationConfiguration.java      |   5 +-
 .../example/service/SigningService.java       |  91 ++++----
 .../webeid/example/service/dto/FileDTO.java   |  51 +++--
 .../example/web/rest/SigningController.java   |  17 +-
 .../static/files/example-for-signing.txt      |   1 +
 .../welcome-with-file-upload-support.html     | 131 ++++++++++++
 .../src/main/resources/templates/welcome.html | 195 +++++++-----------
 .../webeid/example/WebApplicationTest.java    |   4 +-
 8 files changed, 302 insertions(+), 193 deletions(-)
 create mode 100644 example/src/main/resources/static/files/example-for-signing.txt
 create mode 100644 example/src/main/resources/templates/welcome-with-file-upload-support.html

diff --git a/example/src/main/java/org/webeid/example/config/ApplicationConfiguration.java b/example/src/main/java/org/webeid/example/config/ApplicationConfiguration.java
index 59e088f..0d52175 100644
--- a/example/src/main/java/org/webeid/example/config/ApplicationConfiguration.java
+++ b/example/src/main/java/org/webeid/example/config/ApplicationConfiguration.java
@@ -67,6 +67,10 @@ protected void configure(HttpSecurity http) throws Exception {
             .logoutUrl("/logout")
             .deleteCookies("JSESSIONID")
             .logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler())
+         .and()
+            .headers()
+            .frameOptions()
+            .sameOrigin()
          .and()
             .csrf()
             .disable();
@@ -77,5 +81,4 @@ public void addViewControllers(ViewControllerRegistry registry) {
         registry.addViewController("/welcome").setViewName("welcome");
     }
 
-
 }
diff --git a/example/src/main/java/org/webeid/example/service/SigningService.java b/example/src/main/java/org/webeid/example/service/SigningService.java
index 0a48486..f350dc2 100644
--- a/example/src/main/java/org/webeid/example/service/SigningService.java
+++ b/example/src/main/java/org/webeid/example/service/SigningService.java
@@ -41,12 +41,10 @@
 import javax.servlet.http.HttpSession;
 import javax.xml.bind.DatatypeConverter;
 import java.io.IOException;
-import java.nio.charset.StandardCharsets;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
-import java.util.Base64;
 import java.util.Objects;
 
 @Service
@@ -72,49 +70,25 @@ private HttpSession currentSession() {
         return httpSessionFactory.getObject();
     }
 
-    /**
-     * Creates a {@link Container} using given name and files.
-     *
-     * @param fileDTO container file
-     * @return new {@link Container} instance
-     */
-    public FileDTO createContainer(FileDTO fileDTO) {
-
-        LOG.info("Creating container for file '{}'", fileDTO.getName());
-        ContainerBuilder builder = ContainerBuilder.aContainer(Container.DocumentType.ASICE);
-
-        byte[] fileBytes = Base64.getDecoder().decode(fileDTO.getBase64String().getBytes(StandardCharsets.UTF_8));
-        DataFile dataFile = new DataFile(fileBytes, fileDTO.getName(), fileDTO.getContentType());
-        builder.withDataFile(dataFile);
-
-        LOG.info("Successfully created container '{}'", fileDTO.getName());
-        Container containerToSign = builder.withConfiguration(signingConfiguration).build();
-
-        currentSession().setAttribute(SESSION_ATTR_CONTAINER, containerToSign);
-        currentSession().setAttribute(SESSION_ATTR_FILE, fileDTO);
-
-        FileDTO newFileDTO = new FileDTO();
-        newFileDTO.setName(fileDTO.getName());
-
-        return newFileDTO;
-    }
-
     /**
      * Prepares given container {@link Container} for the signature process.
      *
      * @param certificateDTO user's X.509 certificate
      * @return data to be signed
      */
-    public DigestDTO prepareContainer(CertificateDTO certificateDTO) throws CertificateException, NoSuchAlgorithmException {
+    public DigestDTO prepareContainer(CertificateDTO certificateDTO) throws CertificateException, NoSuchAlgorithmException, IOException {
+        FileDTO fileDTO = FileDTO.getExampleForSigningFromResources();
+        Container containerToSign = getContainerToSign(fileDTO);
+        String containerName = generateContainerName(fileDTO.getName());
         X509Certificate certificate = certificateDTO.toX509Certificate();
-        FileDTO fileDTO = (FileDTO) Objects.requireNonNull(currentSession().getAttribute(SESSION_ATTR_FILE));
-        Container containerToPrepare = (Container) Objects.requireNonNull(currentSession().getAttribute(SESSION_ATTR_CONTAINER));
 
-        String containerName = generateContainerName(fileDTO.getName());
+        currentSession().setAttribute(SESSION_ATTR_CONTAINER, containerToSign);
+        currentSession().setAttribute(SESSION_ATTR_FILE, fileDTO);
+
         LOG.info("Preparing container for signing for file '{}'", containerName);
 
         DataToSign dataToSign = SignatureBuilder
-                .aSignature(containerToPrepare)
+                .aSignature(containerToSign)
                 .withSignatureProfile(SignatureProfile.LT) // AIA OCSP is supported for signatures with LT or LTA profile.
                 .withSigningCertificate(certificate)
                 .withSignatureDigestAlgorithm(TokenAlgorithmSupport.determineSignatureDigestAlgorithm(certificate))
@@ -154,20 +128,14 @@ public FileDTO signContainer(SignatureDTO signatureDTO) {
             containerToSign.addSignature(signature);
             currentSession().setAttribute(SESSION_ATTR_CONTAINER, containerToSign);
 
-            FileDTO result = new FileDTO();
-            result.setName(generateContainerName(fileDTO.getName()));
-            return result;
+            return new FileDTO(generateContainerName(fileDTO.getName()));
+
         } catch (Exception ex) {
             LOG.error("Signing of container caused an error", ex);
             throw new RuntimeException("Signing of container caused an error");
         }
     }
 
-    private String generateContainerName(String fileName) {
-        return FilenameUtils.removeExtension(fileName) + ".asice";
-    }
-
-
     public String getContainerName() {
         FileDTO fileDTO = (FileDTO) Objects.requireNonNull(currentSession().getAttribute(SESSION_ATTR_FILE));
         return generateContainerName(fileDTO.getName());
@@ -177,4 +145,43 @@ public ByteArrayResource getSignedContainerAsResource() throws IOException {
         Container signedContainer = (Container) Objects.requireNonNull(currentSession().getAttribute(SESSION_ATTR_CONTAINER));
         return new ByteArrayResource(ByteStreams.toByteArray(signedContainer.saveAsStream()));
     }
+
+    private Container getContainerToSign(FileDTO fileDTO) {
+        LOG.info("Creating container for file '{}'", fileDTO.getName());
+
+        final DataFile dataFile = new DataFile(fileDTO.getContentBytes(), fileDTO.getName(), fileDTO.getContentType());
+        return ContainerBuilder
+                .aContainer(Container.DocumentType.ASICE)
+                .withDataFile(dataFile)
+                .withConfiguration(signingConfiguration)
+                .build();
+    }
+
+    private String generateContainerName(String fileName) {
+        return FilenameUtils.removeExtension(fileName) + ".asice";
+    }
+
+    /*  Here is an example method that demonstrates how to handle file uploads.
+     *  See also SigningController.upload().
+     *
+     * Creates a {@link Container} using given name and files.
+     *
+     * @param fileDTO container file
+     * @return new {@link Container} instance
+    public FileDTO createContainer(FileDTO fileDTO) {
+
+        Container containerToSign = getContainerToSign(fileDTO);
+
+        currentSession().setAttribute(SESSION_ATTR_CONTAINER, containerToSign);
+        currentSession().setAttribute(SESSION_ATTR_FILE, fileDTO);
+
+        FileDTO newFileDTO = new FileDTO(fileDTO.getName());
+        return newFileDTO;
+    }
+    */
+    /* When using uploaded files, retrieve file information and container from the session in prepareContainer().
+
+    FileDTO fileDTO = (FileDTO) Objects.requireNonNull(currentSession().getAttribute(SESSION_ATTR_FILE));
+    Container containerToSign = (Container) Objects.requireNonNull(currentSession().getAttribute(SESSION_ATTR_CONTAINER));
+     */
 }
diff --git a/example/src/main/java/org/webeid/example/service/dto/FileDTO.java b/example/src/main/java/org/webeid/example/service/dto/FileDTO.java
index 09c82de..bea02af 100644
--- a/example/src/main/java/org/webeid/example/service/dto/FileDTO.java
+++ b/example/src/main/java/org/webeid/example/service/dto/FileDTO.java
@@ -22,46 +22,59 @@
 
 package org.webeid.example.service.dto;
 
+import org.springframework.core.io.ClassPathResource;
+import org.springframework.util.MimeTypeUtils;
 import org.springframework.web.multipart.MultipartFile;
 
 import java.io.IOException;
-import java.util.Base64;
+import java.net.URI;
+import java.nio.file.Files;
+import java.nio.file.Paths;
 import java.util.Objects;
 
 public class FileDTO {
-    private String name;
-    private String base64String;
+    private static final String EXAMPLE_FILENAME = "example-for-signing.txt";
+
+    private final String name;
     private String contentType;
+    private byte[] contentBytes;
 
-    public static FileDTO fromMultipartFile(MultipartFile file) throws IOException {
-        FileDTO dto = new FileDTO();
-        dto.name = Objects.requireNonNull(file.getOriginalFilename());
-        dto.contentType = Objects.requireNonNull(file.getContentType());
-        dto.base64String = Base64.getEncoder().encodeToString(Objects.requireNonNull(file.getBytes()));
-        return dto;
+    public FileDTO(String name) {
+        this.name = name;
     }
 
-    public String getName() {
-        return name;
+    public FileDTO(String name, String contentType, byte[] contentBytes) {
+        this.name = name;
+        this.contentType = contentType;
+        this.contentBytes = contentBytes;
     }
 
-    public void setName(String name) {
-        this.name = name;
+    public static FileDTO fromMultipartFile(MultipartFile file) throws IOException {
+        return new FileDTO(
+                Objects.requireNonNull(file.getOriginalFilename()),
+                Objects.requireNonNull(file.getContentType()),
+                Objects.requireNonNull(file.getBytes())
+        );
     }
 
-    public String getBase64String() {
-        return base64String;
+    public static FileDTO getExampleForSigningFromResources() throws IOException {
+        final URI resourceUri = new ClassPathResource("/static/files/" + EXAMPLE_FILENAME).getURI();
+        return new FileDTO(
+                EXAMPLE_FILENAME,
+                MimeTypeUtils.TEXT_PLAIN_VALUE,
+                Files.readAllBytes(Paths.get(resourceUri))
+        );
     }
 
-    public void setBase64String(String base64String) {
-        this.base64String = base64String;
+    public String getName() {
+        return name;
     }
 
     public String getContentType() {
         return contentType;
     }
 
-    public void setContentType(String contentType) {
-        this.contentType = contentType;
+    public byte[] getContentBytes() {
+        return contentBytes;
     }
 }
diff --git a/example/src/main/java/org/webeid/example/web/rest/SigningController.java b/example/src/main/java/org/webeid/example/web/rest/SigningController.java
index c049630..5cb934f 100644
--- a/example/src/main/java/org/webeid/example/web/rest/SigningController.java
+++ b/example/src/main/java/org/webeid/example/web/rest/SigningController.java
@@ -27,7 +27,6 @@
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.*;
-import org.springframework.web.multipart.MultipartFile;
 import org.webeid.example.service.SigningService;
 import org.webeid.example.service.dto.CertificateDTO;
 import org.webeid.example.service.dto.DigestDTO;
@@ -48,13 +47,8 @@ public SigningController(SigningService signingService) {
         this.signingService = signingService;
     }
 
-    @PostMapping(value = "upload", produces = "application/json")
-    public FileDTO upload(@RequestParam("file") MultipartFile multipartFile) throws IOException {
-        return signingService.createContainer(FileDTO.fromMultipartFile(multipartFile));
-    }
-
     @PostMapping("prepare")
-    public DigestDTO prepare(@RequestBody CertificateDTO data) throws CertificateException, NoSuchAlgorithmException {
+    public DigestDTO prepare(@RequestBody CertificateDTO data) throws CertificateException, NoSuchAlgorithmException, IOException {
         return signingService.prepareContainer(data);
     }
 
@@ -72,4 +66,13 @@ public ResponseEntity<Resource> download() throws IOException {
                 .header(HttpHeaders.CONTENT_DISPOSITION, "attachment; filename=" + signingService.getContainerName())
                 .body(resource);
     }
+
+    /*  Here is an example endpoint that demonstrates how to handle file uploads.
+        See also resources/templates/welcome-with-file-upload-support.html.
+
+    @PostMapping(value = "upload", produces = "application/json")
+    public FileDTO upload(@RequestParam("file") MultipartFile multipartFile) throws IOException {
+        return signingService.createContainer(FileDTO.fromMultipartFile(multipartFile));
+    }
+    */
 }
diff --git a/example/src/main/resources/static/files/example-for-signing.txt b/example/src/main/resources/static/files/example-for-signing.txt
new file mode 100644
index 0000000..07a5be0
--- /dev/null
+++ b/example/src/main/resources/static/files/example-for-signing.txt
@@ -0,0 +1 @@
+This is an example text file for testing digital signing.
\ No newline at end of file
diff --git a/example/src/main/resources/templates/welcome-with-file-upload-support.html b/example/src/main/resources/templates/welcome-with-file-upload-support.html
new file mode 100644
index 0000000..6734cfe
--- /dev/null
+++ b/example/src/main/resources/templates/welcome-with-file-upload-support.html
@@ -0,0 +1,131 @@
+<!DOCTYPE html>
+<html lang="en" xmlns:th="http://www.thymeleaf.org">
+    <head>
+        <meta charset="UTF-8" />
+        <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" />
+        <title>Welcome!</title>
+        <link
+            href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css"
+            rel="stylesheet"
+            crossorigin="anonymous"
+        />
+        <link
+            href="/css/main.css"
+            rel="stylesheet"
+        />
+    </head>
+    <body class="m-4">
+        <div class="container">
+            <div class="row justify-content-md-center">
+                <div class="col-xs-12 col-md-8" style="padding-top: 3rem;">
+                    <div style="text-align: center;">
+                        <h2 class="adding-signature">Sign a document</h2>
+                        <p th:text="'Welcome, ' + ${principalName} + '!'" class="welcome-line"></p>
+                    </div>
+                    <div id="file-name"></div>
+                    <p class="text-center p-4">
+                        <button id="webeid-sign-button" class="btn btn-info" style="display: none;">Sign container</button>
+                        <button id="webeid-download-button" class="btn btn-success" style="display: none;">Download container</button>
+                    </p>
+                </div>
+                <button id="webeid-logout-button" class="btn btn-info">Logout</button>
+            </div>
+        </div>
+        <div id="error-message" class="alert alert-danger" style="display: none;" role="alert">
+            <div class="message"></div>
+            <pre class="details"></pre>
+        </div>
+
+        <script type="module">
+            "use strict";
+            import * as webeid from "/js/web-eid-0.9.0.js";
+            import { hideErrorMessage, showErrorMessage } from "/js/error-message.js";
+
+            const signButton = document.querySelector("#webeid-sign-button");
+            const downloadButton = document.querySelector("#webeid-download-button");
+
+            const fileUploadArea = document.querySelector("#file-drop-area");
+            const fileUploadInput = document.querySelector("#webeid-upload-file");
+            const fileNameText = document.querySelector("#file-name");
+
+            fileUploadArea.classList.add( 'has-advanced-upload' );
+
+            ['drag', 'dragstart', 'dragend', 'dragover', 'dragenter', 'dragleave', 'drop'].forEach( function( event )
+            {
+                fileUploadArea.addEventListener( event, function( e )
+                {
+                    // preventing the unwanted behaviours
+                    e.preventDefault();
+                    e.stopPropagation();
+                });
+            });
+            ['dragover', 'dragenter'].forEach( function( event )
+            {
+                fileUploadArea.addEventListener( event, function()
+                {
+                    fileUploadArea.classList.add('is-dragover');
+                });
+            });
+            ['dragleave', 'dragend', 'drop'].forEach( function( event )
+            {
+                fileUploadArea.addEventListener( event, function()
+                {
+                    fileUploadArea.classList.remove('is-dragover');
+                });
+            });
+
+            async function uploadFile(file) {
+                const formData  = new FormData();
+                formData.append("file", file)
+
+                const response = await fetch("/sign/upload", {
+                    method: 'POST',
+                    body: formData
+                });
+
+                response.json().then(data => {
+                    signButton.removeAttribute("style");
+                    fileNameText.textContent = "File uploaded: " + data.name;
+                    downloadButton.setAttribute("style", "display: none;");
+                    fileUploadArea.setAttribute("style", "display: none;");
+                });
+            }
+
+            document.querySelector("#webeid-logout-button").addEventListener("click", async () => {
+                await fetch("/logout");
+                window.location.href = "/";
+            });
+
+            downloadButton.addEventListener("click", async () => {
+                window.location.href = "/sign/download";
+            });
+
+            fileUploadInput.addEventListener("input", async () => {
+                const firstFile = fileUploadInput.files[0];
+                await uploadFile(firstFile);
+            });
+
+            signButton.addEventListener("click", async () => {
+                const options = {
+                    postPrepareSigningUrl: window.location.origin + "/sign/prepare",
+                    postFinalizeSigningUrl: window.location.origin + "/sign/sign"
+                };
+
+                hideErrorMessage();
+                signButton.disabled = true;
+
+                try {
+                    const response = await webeid.sign(options);
+                    signButton.setAttribute("style", "display: none;");
+                    downloadButton.removeAttribute("style");
+                    fileNameText.textContent = "Signature added: " + response.body.name;
+                } catch (error) {
+                    showErrorMessage(error);
+                    throw error;
+                } finally {
+                    signButton.disabled = false;
+                }
+            });
+        </script>
+    </body>
+</html>
diff --git a/example/src/main/resources/templates/welcome.html b/example/src/main/resources/templates/welcome.html
index c28462e..82a9826 100644
--- a/example/src/main/resources/templates/welcome.html
+++ b/example/src/main/resources/templates/welcome.html
@@ -1,143 +1,92 @@
 <!DOCTYPE html>
 <html lang="en" xmlns:th="http://www.thymeleaf.org">
-    <head>
-        <meta charset="UTF-8" />
-        <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" />
-        <title>Welcome!</title>
-        <link
+<head>
+    <meta charset="UTF-8"/>
+    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"/>
+    <title>Welcome!</title>
+    <link
             href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css"
             rel="stylesheet"
             crossorigin="anonymous"
-        />
-        <link
+    />
+    <link
             href="/css/main.css"
             rel="stylesheet"
-        />
-    </head>
-    <body class="m-4">
-        <div class="container">
-            <div class="row justify-content-md-center">
-                <div class="col-xs-12 col-md-8" style="padding-top: 3rem;">
-                    <div style="text-align: center;">
-                        <h2 class="adding-signature">Adding Signature</h2>
-                        <p th:text="'Welcome, ' + ${principalName} + '!'" class="welcome-line"></p>
-                    </div>
-                    <div id="file-name"></div>
-                    <div id="file-drop-area">
-                        <div>Drag file here for signing...</div>
-                        <p class="text-center p-4" style="padding-top: 2rem !important;">
-                            <label for="webeid-upload-file" class="btn btn-info" style="cursor: pointer;">... or load file from disk</label>
-                            <input id="webeid-upload-file" type="file" name="file" style="display: none">
-                        </p>
-                    </div>
-                    <p class="text-center p-4">
-                        <button id="webeid-sign-button" class="btn btn-info" style="display: none;">Sign container</button>
-                        <button id="webeid-download-button" class="btn btn-success" style="display: none;">Download container</button>
-                    </p>
-                </div>
-                <button id="webeid-logout-button" class="btn btn-info">Logout</button>
+    />
+</head>
+<body class="m-4">
+<div class="container">
+    <div class="row justify-content-md-center">
+        <div class="col-xs-12 col-md-8" style="padding-top: 3rem;">
+            <div style="text-align: center;">
+                <h2 class="adding-signature">Digital signing</h2>
+                <p th:text="'Welcome, ' + ${principalName} + '!'" class="welcome-line"></p>
             </div>
-        </div>
-        <div id="error-message" class="alert alert-danger" style="display: none;" role="alert">
-            <div class="message"></div>
-            <pre class="details"></pre>
-        </div>
-
-        <script type="module">
-            "use strict";
-            import * as webeid from "/js/web-eid-0.9.0.js";
-            import { hideErrorMessage, showErrorMessage } from "/js/error-message.js";
-
-            const signButton = document.querySelector("#webeid-sign-button");
-            const downloadButton = document.querySelector("#webeid-download-button");
 
-            const fileUploadArea = document.querySelector("#file-drop-area");
-            const fileUploadInput = document.querySelector("#webeid-upload-file");
-            const fileNameText = document.querySelector("#file-name");
+            <div id="file-name"></div>
 
-            fileUploadArea.classList.add( 'has-advanced-upload' );
-
-            ['drag', 'dragstart', 'dragend', 'dragover', 'dragenter', 'dragleave', 'drop'].forEach( function( event )
-            {
-                fileUploadArea.addEventListener( event, function( e )
-                {
-                    // preventing the unwanted behaviours
-                    e.preventDefault();
-                    e.stopPropagation();
-                });
-            });
-            ['dragover', 'dragenter'].forEach( function( event )
-            {
-                fileUploadArea.addEventListener( event, function()
-                {
-                    fileUploadArea.classList.add('is-dragover');
-                });
-            });
-            ['dragleave', 'dragend', 'drop'].forEach( function( event )
-            {
-                fileUploadArea.addEventListener( event, function()
-                {
-                    fileUploadArea.classList.remove('is-dragover');
-                });
-            });
-
-            async function uploadFile(file) {
-                const formData  = new FormData();
-                formData.append("file", file)
+            <div id="example-document">
+                <p class="p-4">To test digital signing, you can sign the following document by clicking
+                    <i>Sign document </i> below:</p>
+                <iframe src="/files/example-for-signing.txt" width="100%" height="200"></iframe>
+            </div>
 
-                const response = await fetch("/sign/upload", {
-                    method: 'POST',
-                    body: formData
-                });
+            <p class="text-center p-4">
+                <button id="webeid-sign-button" class="btn btn-info">Sign document</button>
+                <button id="webeid-download-button" class="btn btn-success" style="display: none;">Download container
+                </button>
+            </p>
+        </div>
+        <button id="webeid-logout-button" class="btn btn-info">Logout</button>
+    </div>
+</div>
+<div id="error-message" class="alert alert-danger" style="display: none;" role="alert">
+    <div class="message"></div>
+    <pre class="details"></pre>
+</div>
 
-                response.json().then(data => {
-                    signButton.removeAttribute("style");
-                    fileNameText.textContent = "File uploaded: " + data.name;
-                    downloadButton.setAttribute("style", "display: none;");
-                    fileUploadArea.setAttribute("style", "display: none;");
-                });
-            }
+<script type="module">
+    "use strict";
+    import * as webeid from "/js/web-eid-0.9.0.js";
+    import {hideErrorMessage, showErrorMessage} from "/js/error-message.js";
 
-            document.querySelector("#webeid-logout-button").addEventListener("click", async () => {
-                await fetch("/logout");
-                window.location.href = "/";
-            });
+    const signButton = document.querySelector("#webeid-sign-button");
+    const downloadButton = document.querySelector("#webeid-download-button");
 
-            downloadButton.addEventListener("click", async () => {
-                window.location.href = "/sign/download";
-            });
+    const fileNameText = document.querySelector("#file-name");
+    const exampleDocument = document.querySelector("#example-document");
 
-            fileUploadInput.addEventListener("input", async () => {
-                const firstFile = fileUploadInput.files[0];
-                await uploadFile(firstFile);
-            });
+    document.querySelector("#webeid-logout-button").addEventListener("click", async () => {
+        await fetch("/logout");
+        window.location.href = "/";
+    });
 
-            fileUploadArea.addEventListener("drop", async (e) => {
-                const firstFile = e.dataTransfer.files[0];
-                await uploadFile(firstFile);
-            })
+    downloadButton.addEventListener("click", async () => {
+        window.location.href = "/sign/download";
+    });
 
-            signButton.addEventListener("click", async () => {
-                const options = {
-                    postPrepareSigningUrl: window.location.origin + "/sign/prepare",
-                    postFinalizeSigningUrl: window.location.origin + "/sign/sign"
-                };
+    signButton.addEventListener("click", async () => {
+        const options = {
+            postPrepareSigningUrl: window.location.origin + "/sign/prepare",
+            postFinalizeSigningUrl: window.location.origin + "/sign/sign"
+        };
 
-                hideErrorMessage();
-                signButton.disabled = true;
+        hideErrorMessage();
+        signButton.disabled = true;
 
-                try {
-                    const response = await webeid.sign(options);
-                    signButton.setAttribute("style", "display: none;");
-                    downloadButton.removeAttribute("style");
-                    fileNameText.textContent = "Signature added: " + response.body.name;
-                } catch (error) {
-                    showErrorMessage(error);
-                    throw error;
-                } finally {
-                    signButton.disabled = false;
-                }
-            });
-        </script>
-    </body>
+        try {
+            const response = await webeid.sign(options);
+            signButton.setAttribute("style", "display: none;");
+            exampleDocument.setAttribute("style", "display: none;");
+            downloadButton.removeAttribute("style");
+            fileNameText.textContent = "Signature added: " + response.body.name;
+        } catch (error) {
+            showErrorMessage(error);
+            throw error;
+        } finally {
+            signButton.disabled = false;
+        }
+    });
+</script>
+</body>
 </html>
diff --git a/example/src/test/java/org/webeid/example/WebApplicationTest.java b/example/src/test/java/org/webeid/example/WebApplicationTest.java
index 9d32d4b..55838d8 100644
--- a/example/src/test/java/org/webeid/example/WebApplicationTest.java
+++ b/example/src/test/java/org/webeid/example/WebApplicationTest.java
@@ -114,8 +114,10 @@ public void validateOcspResponse(XadesSignature xadesSignature) {
         MockHttpServletResponse response = HttpHelper.login(mvcBuilder, session, ObjectMother.mockAuthToken());
         assertEquals("{\"sub\":\"JAAK-KRISTJAN JÕEORG, PNOEE-38001085718\",\"auth\":[\"ROLE_USER\"]}", response.getContentAsString());
 
+        /* Example how to test file upload.
         response = HttpHelper.upload(mvcBuilder, session, ObjectMother.mockMultipartFile());
         assertEquals(HttpStatus.OK.value(), response.getStatus());
+        */
 
         response = HttpHelper.prepare(mvcBuilder, session, ObjectMother.mockPrepareRequest());
         assertEquals(HttpStatus.OK.value(), response.getStatus());
@@ -127,6 +129,6 @@ public void validateOcspResponse(XadesSignature xadesSignature) {
 
         response = HttpHelper.download(mvcBuilder, session, ObjectMother.mockSignRequest(digestDTO.getHash()));
         assertEquals(HttpStatus.OK.value(), response.getStatus());
-        assertEquals("attachment; filename=test-file.asice", response.getHeader("Content-Disposition"));
+        assertEquals("attachment; filename=example-for-signing.asice", response.getHeader("Content-Disposition"));
     }
 }

From 4cdce5a8bfc3a7fea214c0d9daee6eb5d5fbc6c4 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Mon, 1 Mar 2021 12:56:23 +0200
Subject: [PATCH 014/116] deps: update code to web-eid-authtoken v1.0.1 API

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 example/.github/workflows/maven-build.yml     |  4 ++--
 .../config/ValidationConfiguration.java       | 23 +++++++++++--------
 2 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/example/.github/workflows/maven-build.yml b/example/.github/workflows/maven-build.yml
index ae38343..be61680 100644
--- a/example/.github/workflows/maven-build.yml
+++ b/example/.github/workflows/maven-build.yml
@@ -17,8 +17,8 @@ jobs:
         uses: actions/cache@v1
         with:
           path: ~/.m2
-          key: ${{ runner.os }}-m2-v8-${{ hashFiles('**/pom.xml') }}
-          restore-keys: ${{ runner.os }}-m2-v8
+          key: ${{ runner.os }}-m2-v8-${{ secrets.CACHE_VERSION }}-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ${{ runner.os }}-m2-v8-${{ secrets.CACHE_VERSION }}
 
       - name: Build
         run: mvn --batch-mode compile
diff --git a/example/src/main/java/org/webeid/example/config/ValidationConfiguration.java b/example/src/main/java/org/webeid/example/config/ValidationConfiguration.java
index efb30ca..f526674 100644
--- a/example/src/main/java/org/webeid/example/config/ValidationConfiguration.java
+++ b/example/src/main/java/org/webeid/example/config/ValidationConfiguration.java
@@ -29,6 +29,7 @@
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.io.Resource;
 import org.springframework.core.io.support.PathMatchingResourcePatternResolver;
+import org.webeid.security.exceptions.JceException;
 import org.webeid.security.nonce.NonceGenerator;
 import org.webeid.security.nonce.NonceGeneratorBuilder;
 import org.webeid.security.validator.AuthTokenValidator;
@@ -105,7 +106,6 @@ public X509Certificate[] trustedCertificateAuthorities() {
             }
 
         } catch (CertificateException | IOException e) {
-            LOG.error("Error initializing trusted CA certificates.", e);
             throw new RuntimeException("Error initializing trusted CA certificates.", e);
         }
 
@@ -126,7 +126,6 @@ public X509Certificate[] initializeTrustedCACertificatesFromKeyStore() {
                 caCertificates.add(certificate);
             }
         } catch (IOException | CertificateException | KeyStoreException | NoSuchAlgorithmException e) {
-            LOG.error("Error initializing trusted CA certificates from trust store.", e);
             throw new RuntimeException("Error initializing trusted CA certificates from trust store.", e);
         }
 
@@ -136,14 +135,18 @@ public X509Certificate[] initializeTrustedCACertificatesFromKeyStore() {
 
     @Bean
     public AuthTokenValidator validator() {
-        return new AuthTokenValidatorBuilder()
-                .withSiteOrigin(URI.create(yamlConfig().getLocalOrigin()))
-                // TODO: it is still open what the validation library should do when cert fingerprint validation is enabled but fingerprint is null (as in Chrome).
-//                .withSiteCertificateSha256Fingerprint(yamlConfig().getFingerprint())
-                .withNonceCache(nonceCache())
-                .withTrustedCertificateAuthorities(trustedCertificateAuthorities())
-                .withTrustedCertificateAuthorities(initializeTrustedCACertificatesFromKeyStore())
-                .build();
+        try {
+            return new AuthTokenValidatorBuilder()
+                    .withSiteOrigin(URI.create(yamlConfig().getLocalOrigin()))
+                    // TODO: it is still open what the validation library should do when cert fingerprint validation is enabled but fingerprint is null (as in Chrome).
+                    // .withSiteCertificateSha256Fingerprint(yamlConfig().getFingerprint())
+                    .withNonceCache(nonceCache())
+                    .withTrustedRootCertificateAuthorities(trustedCertificateAuthorities())
+                    .withTrustedRootCertificateAuthorities(initializeTrustedCACertificatesFromKeyStore())
+                    .build();
+        } catch (JceException e) {
+            throw new RuntimeException("Error building the Web eID auth token validator.", e);
+        }
     }
 
     @Bean

From b841861921f3c709c1a1b5c3383f163dfb087c53 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Thu, 4 Mar 2021 15:57:53 +0200
Subject: [PATCH 015/116] conf: bump org.webeid log level to DEBUG

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 example/src/main/resources/application.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/example/src/main/resources/application.yaml b/example/src/main/resources/application.yaml
index 05e7b8e..2c53a60 100644
--- a/example/src/main/resources/application.yaml
+++ b/example/src/main/resources/application.yaml
@@ -4,6 +4,12 @@ spring:
     multipart:
       max-file-size: 5000KB
       max-request-size: 5000KB
+
+logging:
+  level:
+    org.webeid.security: DEBUG
+    org.webeid.example: DEBUG
+
 web-eid-auth-token:
   validation:
     use-digidoc4j-prod-configuration: true

From 7666d505a0dec3719a34a5837a4db89806fb8dff Mon Sep 17 00:00:00 2001
From: Kristjan Vaikla <47743732+Counter178@users.noreply.github.com>
Date: Mon, 15 Mar 2021 10:38:22 +0200
Subject: [PATCH 016/116] Update README.md

Updated EU logo

Signed-off-by: Kristjan Vaikla kristjan.vaikla@ria.ee
---
 example/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/example/README.md b/example/README.md
index dcd160a..fdf3022 100644
--- a/example/README.md
+++ b/example/README.md
@@ -1,6 +1,6 @@
 # Web eID Spring Boot example
 
-![European Regional Development Fund](https://github.com/e-gov/RIHA-Frontend/raw/master/logo/EU/EU.png)
+![European Regional Development Fund](https://github.com/open-eid/DigiDoc4-Client/blob/master/client/images/EL_Regionaalarengu_Fond.png)
 
 Example Spring Boot web application that uses Web eID for strong authentication
 and digital signing with electronic ID smart cards.

From c5ac11c8f445efdb8de44dcce8e37a426718f399 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Mon, 15 Mar 2021 17:25:21 +0200
Subject: [PATCH 017/116] Update authtoken-validation to 1.0.2, web-eid package
 to 9.4.0-rc1, add uninstall instructions

---
 example/pom.xml                               |  2 +-
 .../config/ValidationConfiguration.java       | 13 ++----
 .../static/files/web-eid-0.9.4.76.pkg         |  3 --
 .../static/files/web-eid-0.9.4.76.x64.msi     |  3 --
 .../static/files/web-eid_0.9.4.76_amd64.deb   |  3 --
 example/src/main/resources/static/index.html  | 46 ++++++++++++++++---
 6 files changed, 46 insertions(+), 24 deletions(-)
 delete mode 100644 example/src/main/resources/static/files/web-eid-0.9.4.76.pkg
 delete mode 100644 example/src/main/resources/static/files/web-eid-0.9.4.76.x64.msi
 delete mode 100644 example/src/main/resources/static/files/web-eid_0.9.4.76_amd64.deb

diff --git a/example/pom.xml b/example/pom.xml
index 2023ab8..7dda87b 100644
--- a/example/pom.xml
+++ b/example/pom.xml
@@ -20,7 +20,7 @@
 		<java.version>1.8</java.version>
 		<maven-surefire-plugin.version>2.22.1</maven-surefire-plugin.version>
 		<caffeine.version>2.8.5</caffeine.version>
-		<webeid.version>1.0.1</webeid.version>
+		<webeid.version>1.0.2</webeid.version>
 		<jmockit.version>1.44</jmockit.version>
 	</properties>
 
diff --git a/example/src/main/java/org/webeid/example/config/ValidationConfiguration.java b/example/src/main/java/org/webeid/example/config/ValidationConfiguration.java
index f526674..2df70d9 100644
--- a/example/src/main/java/org/webeid/example/config/ValidationConfiguration.java
+++ b/example/src/main/java/org/webeid/example/config/ValidationConfiguration.java
@@ -23,8 +23,6 @@
 package org.webeid.example.config;
 
 import com.github.benmanes.caffeine.jcache.spi.CaffeineCachingProvider;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.io.Resource;
@@ -62,7 +60,6 @@
 @Configuration
 public class ValidationConfiguration {
 
-    private static final Logger LOG = LoggerFactory.getLogger(ValidationConfiguration.class);
     private static final String CACHE_NAME = "nonceCache";
     private static final long NONCE_TTL_MINUTES = 5;
 
@@ -73,7 +70,7 @@ public CacheManager cacheManager() {
 
     @Bean
     public Cache<String, LocalDateTime> nonceCache() {
-        CacheManager cacheManager = Caching.getCachingProvider().getCacheManager();
+        final CacheManager cacheManager = cacheManager();
         Cache<String, LocalDateTime> cache = cacheManager.getCache(CACHE_NAME);
 
         if (cache == null) {
@@ -91,7 +88,7 @@ public NonceGenerator generator() {
     }
 
     @Bean
-    public X509Certificate[] trustedCertificateAuthorities() {
+    public X509Certificate[] loadTrustedCACertificatesFromResources() {
         List<X509Certificate> caCertificates = new ArrayList<>();
 
         try {
@@ -113,7 +110,7 @@ public X509Certificate[] trustedCertificateAuthorities() {
     }
 
     @Bean
-    public X509Certificate[] initializeTrustedCACertificatesFromKeyStore() {
+    public X509Certificate[] loadTrustedCACertificatesFromKeyStore() {
         List<X509Certificate> caCertificates = new ArrayList<>();
 
         try (InputStream is = ValidationConfiguration.class.getResourceAsStream("/certs/trusted_certificates.jks")) {
@@ -141,8 +138,8 @@ public AuthTokenValidator validator() {
                     // TODO: it is still open what the validation library should do when cert fingerprint validation is enabled but fingerprint is null (as in Chrome).
                     // .withSiteCertificateSha256Fingerprint(yamlConfig().getFingerprint())
                     .withNonceCache(nonceCache())
-                    .withTrustedRootCertificateAuthorities(trustedCertificateAuthorities())
-                    .withTrustedRootCertificateAuthorities(initializeTrustedCACertificatesFromKeyStore())
+                    .withTrustedCertificateAuthorities(loadTrustedCACertificatesFromResources())
+                    .withTrustedCertificateAuthorities(loadTrustedCACertificatesFromKeyStore())
                     .build();
         } catch (JceException e) {
             throw new RuntimeException("Error building the Web eID auth token validator.", e);
diff --git a/example/src/main/resources/static/files/web-eid-0.9.4.76.pkg b/example/src/main/resources/static/files/web-eid-0.9.4.76.pkg
deleted file mode 100644
index 7787ba1..0000000
--- a/example/src/main/resources/static/files/web-eid-0.9.4.76.pkg
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:78f7f879bc0e2a23e5cad20baa82b69eaba06710d8259516e9f13e2c482a49ba
-size 21001267
diff --git a/example/src/main/resources/static/files/web-eid-0.9.4.76.x64.msi b/example/src/main/resources/static/files/web-eid-0.9.4.76.x64.msi
deleted file mode 100644
index d95fd64..0000000
--- a/example/src/main/resources/static/files/web-eid-0.9.4.76.x64.msi
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:1fd96cc362defc7899d44821fcc9d72dcc29a6ca6674747158b32774d2d99e7a
-size 18944000
diff --git a/example/src/main/resources/static/files/web-eid_0.9.4.76_amd64.deb b/example/src/main/resources/static/files/web-eid_0.9.4.76_amd64.deb
deleted file mode 100644
index 058cb88..0000000
--- a/example/src/main/resources/static/files/web-eid_0.9.4.76_amd64.deb
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:a6711039ec2ced20ad2b78e80d9df1dc7839b57a1fcfb4f8f49a0b44ffe1d440
-size 146324
diff --git a/example/src/main/resources/static/index.html b/example/src/main/resources/static/index.html
index d3502f8..568d736 100644
--- a/example/src/main/resources/static/index.html
+++ b/example/src/main/resources/static/index.html
@@ -31,7 +31,7 @@ <h2>Web eID test page</h2>
             </p>
 
             <hr/>
-            <h4>Testing</h4>
+            <h4>Installation and testing</h4>
             <p>
                 Instructions for testing in Firefox, Chrome or Edge (support for Safari has been already
                 added as well, but it is not yet published):
@@ -40,15 +40,24 @@ <h4>Testing</h4>
                 <li>
                     Download and run the Web eID native app and browser extension installer:
                     <ul>
-                        <li>for Ubuntu Linux 20.04 from <a href="/files/web-eid_0.9.4.76_amd64.deb">here</a></li>
-                        <li>for macOS 10.13 or later from <a href="/files/web-eid-0.9.4.76.pkg">here</a></li>
-                        <li>for Windows 10 from <a href="/files/web-eid-0.9.4.76.x64.msi">here</a>.</li>
+                        <li>for Ubuntu Linux 20.04 from <a
+                                href="https://github.com/web-eid/web-eid-app/releases/download/0.9.4-rc1/web-eid_0.9.4.141_amd64.deb">here</a>,
+                            install it with<br><code>sudo apt install ./web-eid_0.9.4.141_amd64.deb</code>
+                        </li>
+                        <li>for macOS 10.13 or later from <a
+                                href="https://github.com/web-eid/web-eid-app/releases/download/0.9.4-rc1/web-eid-0.9.4.141.pkg">here</a>
+                        </li>
+                        <li>for Windows 10 from <a
+                                href="https://github.com/web-eid/web-eid-app/releases/download/0.9.4-rc1/web-eid-0.9.4.141.x64.msi">here</a>.
+                        </li>
                     </ul>
                 </li>
                 <li>
                     The installer will install the browser extension for all supported browsers automatically.
-                    The extension must be manually enabled from the browser extensions management page
-                    and may need browser restart under certain circumstances.
+                    The extension must be manually enabled from either the extension installation pop-up that appears in
+                    the browser
+                    or from the browser extensions management page and may need browser restart under certain
+                    circumstances.
                 </li>
                 <li>
                     Attach a smart card reader to the computer and insert the eID card into the reader.
@@ -63,6 +72,31 @@ <h4>Testing</h4>
                 <button id="webeid-auth-button" class="btn btn-info">Authenticate</button>
             </p>
 
+            <hr/>
+            <h4>Uninstallation</h4>
+
+            <h5>Ubuntu Linux</h5>
+            <p>Uninstall Web eID with<br>
+                <code>sudo apt purge web-eid</code></p>
+            <p>The uninstaller will remove the browser extension from all supported browsers automatically.</p>
+
+            <h5>macOS</h5>
+            <p>Uninstall Web eID with<br>
+                <code>sudo rm -rf /Applications/Utilities/web-eid.app \</code><br>
+                <code>&nbsp;&nbsp;/Library/Google/Chrome/NativeMessagingHosts/eu.webeid.json \</code><br>
+                <code>&nbsp;&nbsp;/Library/Application\ Support/Mozilla/NativeMessagingHosts/eu.webeid.json \</code><br>
+                <code>&nbsp;&nbsp;/Library/Application\ Support/Google/Chrome/External\
+                    Extensions/ncibgoaomkmdpilpocfeponihegamlic.json</code><br>
+                <code>PLIST=/Library/Preferences/org.mozilla.firefox.plist</code><br>
+                <code>sudo defaults write ${PLIST} ExtensionSettings \</code><br>
+                <code>&nbsp;&nbsp;-dict-add "'{e68418bc-f2b0-4459-a9ea-3e72b6751b07}'" "{ 'installation_mode' =
+                    'blocked'; }"</code>
+            </p>
+
+            <h5>Windows</h5>
+            <p>Uninstall Web eID using <i>Add or remove programs</i>.</p>
+            <p>The uninstaller will remove the browser extension from all supported browsers automatically.</p>
+
             <hr/>
             <h4>Debugging and logs</h4>
             <ul>

From 5ca00339417070655ed02599eebf6306ea101ab2 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Mon, 15 Mar 2021 18:35:48 +0200
Subject: [PATCH 018/116] Add documentation and developers sections to
 index.html

---
 example/src/main/resources/static/index.html | 64 +++++++++++++++++---
 1 file changed, 55 insertions(+), 9 deletions(-)

diff --git a/example/src/main/resources/static/index.html b/example/src/main/resources/static/index.html
index 568d736..9ccc437 100644
--- a/example/src/main/resources/static/index.html
+++ b/example/src/main/resources/static/index.html
@@ -3,7 +3,7 @@
 <head>
     <meta charset="UTF-8"/>
     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"/>
-    <title>Web eID test page</title>
+    <title>Web eID: electronic ID smart cards on the Web</title>
     <link
             href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css"
             rel="stylesheet"
@@ -18,22 +18,28 @@
 <div class="container">
     <div class="row justify-content-md-center">
         <div class="col-xs-12 col-md-8">
-            <h2>Web eID test page</h2>
+            <h2>Web eID: electronic ID smart cards on the Web</h2>
             <p>
                 The Web eID project enables usage of European Union electronic identity (eID) smart cards for
                 secure authentication and digital signing of documents on the web using public-key cryptography.
             </p>
-            <p>Estonian, Finnish, Latvian and Lithuanian eID cards are supported, but only Estonian eID card support
-                is currently enabled in this test service.</p>
             <p>
-                Technical overview of the solution is available in the project
-                <a href="https://github.com/open-eid/browser-extensions2">system architecture document</a>.
+                Estonian, Finnish, Latvian and Lithuanian eID cards are supported in the first phase, but only
+                Estonian eID card support is currently enabled in the test application below.
             </p>
 
             <hr/>
-            <h4>Installation and testing</h4>
+            <h4>Table of contents</h4>
+            <ul>
+                <li><a href="#usage">Usage</a></li>
+                <li><a href="#documentation">Documentation</a>
+                <li><a href="#for-developers">For developers</a>
+            </ul>
+
+            <hr/>
+            <h3><a id="usage"></a>Usage</h3>
             <p>
-                Instructions for testing in Firefox, Chrome or Edge (support for Safari has been already
+                Instructions for installing and testing in Firefox, Chrome or Edge (support for Safari has been already
                 added as well, but it is not yet published):
             </p>
             <ol>
@@ -97,7 +103,6 @@ <h5>Windows</h5>
             <p>Uninstall Web eID using <i>Add or remove programs</i>.</p>
             <p>The uninstaller will remove the browser extension from all supported browsers automatically.</p>
 
-            <hr/>
             <h4>Debugging and logs</h4>
             <ul>
                 <li>
@@ -117,6 +122,47 @@ <h4>Debugging and logs</h4>
                     </ul>
                 </li>
             </ul>
+
+            <hr/>
+            <h3><a id="documentation"></a>Documentation</h3>
+            <p>
+                Technical overview of the solution is available in the project
+                <a href="https://github.com/open-eid/browser-extensions2">system architecture document</a>.
+                Overview of authentication token validation implementation in the back end is available in the
+                <i>web-eid-authtoken-validation-java</i> Java library
+                <a href="https://github.com/web-eid/web-eid-authtoken-validation-java#authentication-token-validation">README</a>.
+            </p>
+            <p>
+                Security analysis of the solution is available
+                <a href="https://web-eid.gitlab.io/analysis/webextensions-main.pdf">in this document</a>.
+            </p>
+            <hr/>
+            <h3><a id="for-developers"></a>For developers</h3>
+            <p>
+                Currently the Web eID back-end libraries are available for Java web applications.
+            </p>
+            <p>
+                To implement authentication and digital signing with Web eID in a Java web application,
+                you need to
+            <ul>
+                <li>use the <i>web-eid.js</i> JavaScript library in the front end of the web application
+                    according to the instructions
+                    <a href="https://github.com/web-eid/web-eid.js#quickstart">here</a>,
+                </li>
+                <li>for authentication, use the <i>web-eid-authtoken-validation-java</i> Java library in
+                    the back end of the web application according to the instructions
+                    <a href="https://github.com/web-eid/web-eid-authtoken-validation-java#quickstart">here</a>,
+                </li>
+                <li>for digital signing, use the <i>digidoc4j</i> Java library in the back end of the web
+                    application according to the instructions
+                    <a href="https://github.com/open-eid/digidoc4j/wiki/Examples-of-using-it">here</a>.
+                </li>
+            </ul>
+            <p>
+                The full source code of an example Spring Boot web application that uses Web eID for authentication
+                and digital signing is available
+                <a href="https://github.com/web-eid/web-eid-spring-boot-example">here</a>.
+            </p>
         </div>
     </div>
 </div>

From c77f6b7586a8ffa8022c376a2b540e210eb39db4 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Tue, 16 Mar 2021 17:28:20 +0200
Subject: [PATCH 019/116] doc: add contact info to index.html

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 example/src/main/resources/static/index.html | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/example/src/main/resources/static/index.html b/example/src/main/resources/static/index.html
index 9ccc437..0b7426c 100644
--- a/example/src/main/resources/static/index.html
+++ b/example/src/main/resources/static/index.html
@@ -27,6 +27,10 @@ <h2>Web eID: electronic ID smart cards on the Web</h2>
                 Estonian, Finnish, Latvian and Lithuanian eID cards are supported in the first phase, but only
                 Estonian eID card support is currently enabled in the test application below.
             </p>
+            <p>
+                Please get in touch by email at help@ria.ee in case you need support with adding Web eID to your project
+                or want to add support for a new eID card to Web eID.
+            </p>
 
             <hr/>
             <h4>Table of contents</h4>

From b7710ba33ba4c63d38d507ddf037540ace6a40ba Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Thu, 18 Mar 2021 17:06:56 +0200
Subject: [PATCH 020/116] doc: mention Croatian eID support, Ubuntu Software
 Center

---
 example/src/main/resources/static/index.html | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/example/src/main/resources/static/index.html b/example/src/main/resources/static/index.html
index 0b7426c..a176c7f 100644
--- a/example/src/main/resources/static/index.html
+++ b/example/src/main/resources/static/index.html
@@ -24,7 +24,7 @@ <h2>Web eID: electronic ID smart cards on the Web</h2>
                 secure authentication and digital signing of documents on the web using public-key cryptography.
             </p>
             <p>
-                Estonian, Finnish, Latvian and Lithuanian eID cards are supported in the first phase, but only
+                Estonian, Finnish, Latvian, Lithuanian and Croatian eID cards are supported in the first phase, but only
                 Estonian eID card support is currently enabled in the test application below.
             </p>
             <p>
@@ -52,7 +52,8 @@ <h3><a id="usage"></a>Usage</h3>
                     <ul>
                         <li>for Ubuntu Linux 20.04 from <a
                                 href="https://github.com/web-eid/web-eid-app/releases/download/0.9.4-rc1/web-eid_0.9.4.141_amd64.deb">here</a>,
-                            install it with<br><code>sudo apt install ./web-eid_0.9.4.141_amd64.deb</code>
+                            install it with either the Ubuntu Software Center or from the console with<br>
+                            <code>sudo apt install ./web-eid_0.9.4.141_amd64.deb</code>
                         </li>
                         <li>for macOS 10.13 or later from <a
                                 href="https://github.com/web-eid/web-eid-app/releases/download/0.9.4-rc1/web-eid-0.9.4.141.pkg">here</a>

From d1fcac2fd21dfc171535a27a7419ce7519f045fa Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Thu, 18 Mar 2021 17:15:59 +0200
Subject: [PATCH 021/116] doc: mention Ubuntu Software Center during unistall

---
 example/src/main/resources/static/index.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/example/src/main/resources/static/index.html b/example/src/main/resources/static/index.html
index a176c7f..ec734cb 100644
--- a/example/src/main/resources/static/index.html
+++ b/example/src/main/resources/static/index.html
@@ -87,7 +87,7 @@ <h3><a id="usage"></a>Usage</h3>
             <h4>Uninstallation</h4>
 
             <h5>Ubuntu Linux</h5>
-            <p>Uninstall Web eID with<br>
+            <p>Uninstall Web eID either using the Ubuntu Software Center or from the console with<br>
                 <code>sudo apt purge web-eid</code></p>
             <p>The uninstaller will remove the browser extension from all supported browsers automatically.</p>
 

From cad6168f6ca5b4b7f1c4b0ff8f401e63da876aab Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Fri, 19 Mar 2021 11:18:58 +0200
Subject: [PATCH 022/116] fix(html): make welcome page error box similar to
 auth page

---
 example/src/main/resources/static/index.html      | 1 +
 example/src/main/resources/templates/welcome.html | 8 ++++----
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/example/src/main/resources/static/index.html b/example/src/main/resources/static/index.html
index ec734cb..9cbfa69 100644
--- a/example/src/main/resources/static/index.html
+++ b/example/src/main/resources/static/index.html
@@ -75,6 +75,7 @@ <h3><a id="usage"></a>Usage</h3>
                 </li>
                 <li>Click <i>Authenticate</i> below.</li>
             </ol>
+
             <div id="error-message" class="alert alert-danger" style="display: none;" role="alert">
                 <div class="message"></div>
                 <pre class="details"></pre>
diff --git a/example/src/main/resources/templates/welcome.html b/example/src/main/resources/templates/welcome.html
index 82a9826..7d2beeb 100644
--- a/example/src/main/resources/templates/welcome.html
+++ b/example/src/main/resources/templates/welcome.html
@@ -31,6 +31,10 @@ <h2 class="adding-signature">Digital signing</h2>
                 <iframe src="/files/example-for-signing.txt" width="100%" height="200"></iframe>
             </div>
 
+            <div id="error-message" class="alert alert-danger" style="display: none;" role="alert">
+                <div class="message"></div>
+                <pre class="details"></pre>
+            </div>
             <p class="text-center p-4">
                 <button id="webeid-sign-button" class="btn btn-info">Sign document</button>
                 <button id="webeid-download-button" class="btn btn-success" style="display: none;">Download container
@@ -40,10 +44,6 @@ <h2 class="adding-signature">Digital signing</h2>
         <button id="webeid-logout-button" class="btn btn-info">Logout</button>
     </div>
 </div>
-<div id="error-message" class="alert alert-danger" style="display: none;" role="alert">
-    <div class="message"></div>
-    <pre class="details"></pre>
-</div>
 
 <script type="module">
     "use strict";

From 4a08590f8de268136394070485417e23da6784f7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mart=20S=C3=B5mermaa?= <mrts@users.noreply.github.com>
Date: Tue, 30 Mar 2021 12:05:47 +0300
Subject: [PATCH 023/116] fix(signing): update DigiDoc4j to mitigate LOTL
 change issue

---
 example/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/example/pom.xml b/example/pom.xml
index 7dda87b..1684073 100644
--- a/example/pom.xml
+++ b/example/pom.xml
@@ -76,7 +76,7 @@
 		<dependency>
 			<groupId>org.digidoc4j</groupId>
 			<artifactId>digidoc4j</artifactId>
-			<version>4.1.0</version>
+			<version>4.1.1</version>
 		</dependency>
 		<dependency>
 			<groupId>org.webeid.security</groupId>

From 8df70f16d440af7382270773e23030e03f5b5a54 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Tue, 6 Apr 2021 17:19:39 +0300
Subject: [PATCH 024/116] release(html): web-eid-app release downloads
 0.9.4-rc1 -> 0.9.4

---
 example/src/main/resources/static/index.html | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/example/src/main/resources/static/index.html b/example/src/main/resources/static/index.html
index 9cbfa69..439d7b9 100644
--- a/example/src/main/resources/static/index.html
+++ b/example/src/main/resources/static/index.html
@@ -51,15 +51,15 @@ <h3><a id="usage"></a>Usage</h3>
                     Download and run the Web eID native app and browser extension installer:
                     <ul>
                         <li>for Ubuntu Linux 20.04 from <a
-                                href="https://github.com/web-eid/web-eid-app/releases/download/0.9.4-rc1/web-eid_0.9.4.141_amd64.deb">here</a>,
+                                href="https://github.com/web-eid/web-eid-app/releases/download/0.9.4/web-eid_0.9.4.141_amd64.deb">here</a>,
                             install it with either the Ubuntu Software Center or from the console with<br>
                             <code>sudo apt install ./web-eid_0.9.4.141_amd64.deb</code>
                         </li>
                         <li>for macOS 10.13 or later from <a
-                                href="https://github.com/web-eid/web-eid-app/releases/download/0.9.4-rc1/web-eid-0.9.4.141.pkg">here</a>
+                                href="https://github.com/web-eid/web-eid-app/releases/download/0.9.4/web-eid-0.9.4.141.pkg">here</a>
                         </li>
                         <li>for Windows 10 from <a
-                                href="https://github.com/web-eid/web-eid-app/releases/download/0.9.4-rc1/web-eid-0.9.4.141.x64.msi">here</a>.
+                                href="https://github.com/web-eid/web-eid-app/releases/download/0.9.4/web-eid-0.9.4.141.x64.msi">here</a>.
                         </li>
                     </ul>
                 </li>

From 3d02a226b6f71f784f035bafa20e967d8066762b Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Fri, 30 Apr 2021 21:48:34 +0300
Subject: [PATCH 025/116] relase(html): web-eid-app release 0.9.4 -> 1.0.0-rc1
 with tentative Safari support, add instructions for enabling logging

---
 .../static/files/Web eID privacy policy.pdf   | Bin 0 -> 76371 bytes
 example/src/main/resources/static/index.html  |  54 ++++++++++++++----
 2 files changed, 43 insertions(+), 11 deletions(-)
 create mode 100644 example/src/main/resources/static/files/Web eID privacy policy.pdf

diff --git a/example/src/main/resources/static/files/Web eID privacy policy.pdf b/example/src/main/resources/static/files/Web eID privacy policy.pdf
new file mode 100644
index 0000000000000000000000000000000000000000..d5c03c67bc609655c7a16eaa6ea9e63bfaf08aa0
GIT binary patch
literal 76371
zcma&NWmsIxx~`486P$#`-JyZt?(Xj1xN9J|dvJGmm*DPB@C0{v$RTsCxz{>ppY!eS
zM|Y2^F>2I1s`{#a?&qy0R}c}SXJ%kUAn)J3+C475&YA8XL|_9j0ql&d5O{b1j54OS
z=FS!X_V+3!0Hc^C$l28K{S##9Y${@EY-eH$;NwGZa&|N|v_WtOuhbcHT^mGS|3w>H
z5xnny0KRuxkvJqIiCxPcjnjlfLY>f*kM{%N^daDdUz789g0^b&lmDPSn1uL#s7QW$
zTielMemTKQ?pwoK?%RX>dD_#RZs+uubK9AQ7F+c@y6<f5o^!yZ=cX<n?cbLQ)xakd
z{vSn}^Q*4PA2$|>h)`_S=R@p{R?e%A`rK~yQKa5Hw2m`pdt;h(=Z`0%3%-dRjd|Yf
zmwRsLaonEVey={dy+!ywZ}CI-y%B%aQRT}EI&%53DKGbSvYFTVV*M9=)gO;h-`j5W
zGsc_M8)u`8qtzRg;BQcIA!!!q6yRAqlTy=;b$Pu)HWMS5PHvF7km>pM`&0{Ap*(Yk
zaB>fe#zft(XU+3u%J72A0i!eiwE9K$U{?A|A>Z{B<W0+>k1W4EXC4#-Rh9XByG2#G
z=^>XrbIbH>n&%`ZaF!yV2RA7+Kx)UHt@^PCKXM<Qw~@qjINC*ptdARl6M9K@iI(tJ
zen4v=Hr(BwfFGqoRw>|Q0c3IKPtKrfAY9}jSULhn!JbLk;FNFV79WWGa7jP?Hs#f~
zmY?PMJR=qQ7MbP1mkK7IaWNAL-_krec4*Nrv7+gP3>D!*ZF~U!dyDXves|`9)HEf{
z-a6sCqSRpitDVl8L)l#1cl$b6uZclMXYfU5CslaOuG*&LCTtA^wFwRii0E4C5!T}F
za%@NQ`)V^WQUc(x=K&QdLfWe*X=t7sDU#VWc<51Xqm8uIMPd_E)xjD5c*I8K?O{2s
zHqs)n_r(df+4dEE@aGW}E1<mo_Mj|H5l8%v7aduoxhE2`r_(^kr5Z}#p9ydmQBv->
zwvxuVQS6&r=Ie+O%04Mtda=uRoAe{lI%V2uQzp6rqHgkX5ptcNpK$gGskY><5TB93
zsl>={Ty{qFXV5o#0n9)?zBY;mvbLsl-p*f8O7P#*y)-V1esyZoT^W&WVPI;t+Xz`l
z=F>|YBD8~gXi&<MVFTi*qwjpoZQ|9(o0E#LjF|Rtvrfpr)^?wBAO37IIYZ2sc|NLx
zj4$}UhlmU9xAmJ)PVAihf-K*~>fC63gm4pJ82iZD#jl=2kPaSpKxR+iS5HF75rH*Z
z4fyOPXRwne<Yi$4*1$kt;tyk?;}m7~=<SzF9tZssCs_`&KH7uqC`Oa)j+F$Wca@q)
z>cg-`&WQO-==jW(_)3L6RZ@eapNOFc8FSy)+nsb7^}9XyduGYsa7KF!uoh+Zuazdh
z%CTha)GgbPw|~$K&vy39-ezLAEX$mIdLiekAKJ=CXDnuF(j(bc8l*XaBos{OUG-c~
zET|b&ne_{jP-KDDJ%CT;X7$^kQX&7zblY83T;T+Z6Yk<0%G9-5I_#*VQG6+0=#t;U
z$SEzU^NcWu6le?)LsmYnnQj*H(xpK`@%;b|VVI#g!gFb_JP~BbQz-Teh5GT$n2YD6
z0CB!XSm{^3oX|*~+~kMEhh9hYZcJZI6^I5iVmLopJ@QE?htSuRVV+<}La<NmNcV)`
z3339uy2~E0E_NoA=LD3^>nfrF)Q!*V-xk`wAf$hsiBB_d@=+zH)1zV&5kUwiF%+@9
z^j;_t64p4w2*$Bo@uWRC0sCYsj{VZ?2pTlCapvYHKXUYP>ExO1IYyb($B#;ke?1Ej
z@nP<DKjy%ukwfx&aTv{by4>*EOy#Gf_PTJx*0ht0Cvbu-wf2(I{Q1*ylBe<!nGm8^
z2zzxlV{;6BCXNt7*+5MfyJVE%>I*Q0aw6Nr;8SFx+4tozPyWCmMNW=WzGCQ-0(Xj<
z3AB&<3?8e#6lMM%)=CE-WzzMaYj7!vwJ;RJPba&V&{=1C_!h~RbgRg-YvlK{Wmree
zYC$zmi*8tKg_aw-rt3htazP9QN&3qr>RcoE#3@W8#IZz*C&WwMIF0ePC+M~G%!o_0
z&C+;6<et1DL*IH`nh<C?uebyXB^@EdoaVHMRr}Au9klm-gv-Jh#)k*A)GVk`q7z0-
zX0v9e$QQic>d3Uz;_}sLkb>o!X1O+W^aJ}WdmEOZ`Wq$J?gV4)g0&7J4e}OIBdBAx
zgv4+=NyM}BLJuq9y4T+(wx<>nOj|8uhl`<fgwW&iFr{K~3YZX($_1NrX@FYi^E|(H
z1v18j^}_y7>#r0Ivwp;YS{W*+NN^pT)e|hBWQGKaUJ4pAw+D4-r6|N;BU*l{pS6=|
z4Beol1PeW7SpvNmCCe>mz}k1XT)GIwB_+wPgg^&}I^*J`ErKRR`o$k?oV`>y+$9*R
z!l33OVwjOamWzoaaqNW!8iO6Zu|)3#QD;J`+mYpn-*ns(Fv+v#K6!}_!*yE<x-J>K
zWH>c?{dSkAK(4SjbNt3s&aujjkZnKy@!<Ex?}LPqk~|*RRd1RaZD6A+r(@d(_bAv;
zp(frA?1%or*pJ0z54z@eqX^Dl`eysMgab<&4|%EqMz|5h*YXs!S9po{XJw8qU<izf
zG~#8^)5Be*x;aUKKhHz~gEaY59)^g9IiD4$Vkni{<#49)aWgZrAb;k~^Qfm{=csXB
zrB^3sDkmYHEq0vOXy|IZXaQSN;_#psSzh|v0Zl7_g|Pm-&DY|x^~jjd`D^EnHd}<k
zZV2-kL^U}HobbI_Pi&659j27#MfUZiD17xxSp2(Q!bIe`e)+>T8sHq6EJp_+X&i=G
z1(6Jk<W)u>*F_LETxbv-c)68Ot|er&l#xCRse}$Nr<>`}2+dBG*_qW>^ZN)Cy0eaA
zDn^pfeg+?~W&TLXvvO#+1b>qvsGL2zW#4-3P{PTWI$*5}{jB!4Qu5a^EEaZOi9yCn
z?~Vl)tRI^P!MYm-K$o~;jnx(UJ95e+X;qi}CRAz3Zs4&3v3$MrNPC&4M7NexH}xFp
z9d(+YAxT@UVss9ibDE#1(F{5v;JSk>2oWWkp`IvU9djLOd=*rgCN0lQsg=x!BPgT|
zNyaX302L;g3BfMU*<cJI8S}(a+zyQjyuTl$3cuxi5`c}KGm2%g49}U6NK9D#6=sd@
zUT8hNt=hqq+qo{A%EsA;tXcDz$z<AHSH?s>M;?D^B9lfBdB$v0ycZG2t|2#*3uEWk
z)uSdZAXD36^Wvx~GJq^Ppk#pR)+aFG_W?Cy2^j*ztUw;uNlIs$<*fPmupuubcJ#M*
z^UaUgr8jkrJ<)SLk#(5H-+{|1M_&Y`%YMVtv%pY3Ay5VHg+)Ib-<8NO$VfF~pm!uP
zqBY<je`u(1z3`5m2^lW`LBG?fp95CB^h9zc^3(XLxOa|zI}LO6d>@!hU{Mz{0ogLX
zUNqb~B)4Xh;wH^V7UnYsn7>w~H9vmbV0HjlU8!Nl=fG#8$aF^_r?--jn(94?MLg7H
zUx&3r>s}@`shn?rdgO5Eeq#}s<6W+&gdaCq!;z=QwJS70irSSNYS`HnK$tHEBtcO?
zmgcetdiprGei-nWnye7MJxSsUKh<&2TbShYX*ud0m|k2cETP@BK;{dtZ(Hml%}!BU
z$c~nn`N2EhqzTepR?1vT@A^Iq86!Q5zicB#zbYCf`<l!dFJCHZXX<r$E#Ouz&*EAZ
zWNgv-q~c=5kOna@F61qmW;5dSJ(_>1oSJtMuFEC-*QOmu)7zT1JSz>RS^ZJVn`QsJ
zP`YdFIG41nv*U!$PYEIXpP#zW8S~?z;sdn;r=_nqi|C)fXcVq`H$`#AboXwPI`7>1
zo^2IKh`JJ-XqqCY^2?mQdLL<`&FxfLa%6Ri`a|vG-zm!4SAE^6T`YetF)0#>!*o4s
zi<2th+Egu0q;J17cOm^aiownRJM5bq*Nhz<H~P3Ct{s+KI&e6k<iDKs+<$aqR2h4q
zl)&4SCAf-_vbE;ZA4yrk<e=Y0KFhB6K_}dbe|tWb#xa0-7-b<eP;F9Fk4pO(b9D0X
zmf{YTTUtOrv|bZoQd3x|CeHPHHdl=rk29=#N*s1gy6Lh0XHG(&$3Z@v%)Pux0}}Fz
zDmva{3ev<Z_SP^s5W6Is_zePtzuhIzJgWUcs@%3TcqlSvCs>&aYCvU9i?7WK_OQ5h
z_yg6YhU;RN<PX}>J0$@l#RWP&U2uG8gU+D+oVo5Jk>8<CM76;}cmYD%F=mRew%@on
z<HaWU_5sA{R>8Ci2|qi&WhGDx9`g!qm{EhXX$rJRdzL;BvXKnzw|f5&a&rvdH5Wy2
zcm+Lj#WEG#;|A{QGB3<h`^e9+MoTbL3LQ9n$~gl)dN8<+vk=UMVKA0Fe_mQIiNx8&
z9Fa{GS<7Ye0De5dj**>j(qp)M8`huy796tK<yiwR)XRLY430L3*!v|#ZG6)PDjlA7
z{1h#f;hR_Zn%q=q8oTSjAz!T+^Y5>Pi&`|FV&iZod+6BZQg_%ek5r3NB<S1HAWu+D
zQH=at&0I;C;D@lx;JtsR2#IC7#K0HUN-!{w&O{ISuU$c4*kEXlVcPKHR|Y1*9{x(w
zHc_&b66V81cJoZb;(JMt5W3bKIQb44?hpMrElJOiw$#7<Qll@)QqWcq8Bcx4Haqzn
z9BqlRiCzBb7lP5eHrjzn=wrO}O3I{d92!c!PMf>7o-+uAi1lBhCfpG&C5Vs{juX}G
zlqv>IE0adkx*0UsQ8wo2=J=*TU{XPhnWXHinj%&~SVefT{r&wAgjXZPQ8*V`iY{6l
z)4^nW?t7J|`v~|Bn0f1y8YOtfE&2Yql?efg{CYFNloSCybzGCyUm&<nLs7nsJV!y>
zxGcqickzVHbm^FLhAZ~=*c3{(yMDQ2g1Pq%phe=MSxOmZjo8j7j3K{H-v!=t3!K67
z#f0UoTI3=r@6}pcjnX`xn{7&J7NgGv#F({Tf_h?17A0&MKL?Q*G(C(HW}m`Zox4$x
zs<UAjT`C0M>Inv9)VG}9tdG3<to<A|JLF4C!X35FkxDZZIBW_fg6nFczrA1Fm-JO(
z^?u<2e4+X}i=w>(f|j|V93X4&>#`Pp!@T-Dlk~Jw%8l_#l@D&I)vtj{`$d}Mt1kbT
zL<#S)p(yd5;W+oqYTNbYsBL6s83+%n;iDE^&JQ$CgeN}A;>sjSEnxn{8@ecNC|1>A
z)k2V_Deid|JcpZFS*(7azgvzeUFHkfCvOx1Wka2|<CF*kCq{^&0n;Dmc)h~=FFpLK
z4eSM`AFID`1wu^eTbPcBe84{iw&D;`As#1$@gg0hhckBOn7|skt{8^uAkdO-xE}Xr
zYp4G7pJhfN*Htz4U~56MS84Vaq&1H<!k-c?gQwuhkgk_CHfmu;$cT5BE(kqa>2Obq
zcg*>w!sCUSErp+IECC5pUDW!-@cDQT;X0~2)BF*bqT3pHhLftBszGx-kACKKT+;|{
zPr|(v+(*BjV*<E~?uw;qp>8rsS*iXEj#nh2P2PkU8d5OmT=pZ@v5zZfjJvMllTa4d
zfOdJ`BOim@u3v1|6ugoMiH}H*e>LC7w0@^fe9XH+c*__m{&clo&4K-ADhHpiNuvhI
zHo6XHkRZ$GJobz5=j=Gv2cmeU+$ZVL!-oX6{GY-?izAt(&SEDs+BS{?*(N=`s5l>6
zKQth5uTK9&s9GpYKK;OP3W2lUHjp$$EH%z3RL2Xch7ySiX1+bG)-oQ_?jM2b1T9im
z;#zx32nBISY?I>c3JYFbU^sQII9y=ih5O1K8>}5xY|aRTL+Q^&BSSg4d5G2+?!kU3
zO>V;kgYTT15wtAutrcgjm(!0okl3~jMRR-W?q6CM`2Iu1AkXsK@RMjvG*42aPD1E1
zwr{IMIPnLf9g8*1P?(Vt=^o44C1~?mlOvggdLkXYJ&Thl?;W}BnDVkJH_j&p>|(;0
z-x`rb03kh(Tm^JHsl+M1VvQn-(aMsa7iwLIPiUdAjU*0_6)%`<RUPdKBcGQN_A=BW
zYOpp^Jja84&jYd_)H7aIWP7p?9fU8GMV7tq5Dui6g=<8iw9JyW`*D-_g~)3&3w(N6
z4V95&7I$>#T2tI1&orY2O!o2)Dd?y_3Thk?vkday{1^?GhutcYS-)2T1K7vQ*OLiF
zZklp<c^}S+Bj-6<Wxo-j;looQnA)2B%l~;l`ePgY@rwR@vaxe<{5kvQnB_k#B^3{Q
zQvjoaq4{6$j;6NG0M@_lB_&fQI~PY|QzroM?+Rf%Tj%%lPJlm_)Vu#AYieR?C}igj
z&}MqCVCP~7aI&%JBD`Br|LW&YyML@J1xGt$Wm9K>_Iqa{VgN=JQ+H>8E`U+k4rJ%3
zY;S063i#u22|F<ZIR3glAK$yP_1@!O)ha6N0OmhoD<Lqds4z1Fm^uHt=)J%K;QHr~
z6~O!_lK0S5R5$_5|FX$cR5$?4{|foNEfawGpAP;bROUZ7`6t$Y*=#KTx|!Vjh%gHN
z@!D+PjWz(Ih^eckv8j@{(En_~Wqxy0QC`6gnd;=|oW>vlkl)~Y!UJZxC9t3r!zBF_
zAc6xaTt%S8KA=;pnW%Jwi-(XHi+(^1_-eESe}$$n*rO;Sy1O1}4S!zAe!Y?QI;6R|
zvfsS4Vt($k)CQ*T@)fGrSp(dUEmz~i*>R5!2Ig4*Jp?WqIEn^%_qLfCl=y=P#QaMq
zZ)$3Z#9;m18H1lm`zqac1q!Fd-(TWLIE2Yyzz{?ifIPkwIJ*#u%Jl<yEWe>fZ<454
zf|*&cbK&zUNPhKKgYJs=Xxm3pk|}m_@iiy$I@q!z+Z8s_$hY$&p>lOn$hXY%y<tr|
zRV35EcJHa?<{mO+z?eRy>W}YJ<buLjL_gr2g<U~_!6o){bvU9#JaSoNfw>o%?}Wc=
zd!r)sr4-BEgJH9$%X;NUBWBvfKH2S1cbTc12Bc^v9KUM2Z=&Gjnl`Bxai^7pr>B~W
zdlrx1S2jQSD!=j$dp@gPQk+a>2}WjVZh}rK7(21S?#Q&#Kh}38se(1wzzFPaSID0O
zz^<Ud8a6VnKLvyI;`@IhQ6fg1oPeCbv#l9u4>+E)zuJv{59Yd09Xoqg<1WJC_a~La
zVl@@rEh;XO78xH$LP?%7dA&#b{i~bHa$=;9E+e}e=Q8L(Rq-GZJ}}IpJ&4C&BbLDg
zA@Iw>_7_|rB`ltAru7F47kx0FATEU#N!VdKUNB)&NHSY~PY9o5Z8T<t;jRvg%D8H$
z7#7dB{U;(sop9T289@@|y*s2B6G!qqI=uYNKu`|^Ml7sz4g#A$0}}+D0WzT<t3Bif
z04&f?0uAyTB!dKmr2tf&Am1_=f*|uUxNCrwJ=naz=QNbuSD-zN4wQN~vOOY_pSS=*
zaE~+-_=dkF+}8^<tUST8SnLASRG~#Q0xdWXVL=7X50C@GVX<iO0*})aCAc&JWx2u%
zyf>uI_-$~y0Z%!w(*QP@S8$&|^c09WL*!+!Ccl*$ZbCTm-mxtacdQIpobJ_asTOQL
zl;&QXZGsChx*+}D1UP|VILH|>4LE{J5usQOGH`Ta>o}4Eh*HtCSd;>S)+mWMhaE_m
zkX*wQT<k%-Um=>2+eT`Ji$+pR3n|7aYBD%`Kr=K}|HrR|Mhmq?8k80MuJAzg^eFm%
zHG>!f?V99T$YsM5ZbFoyZoHp__P#B+IxM#ARZz{SOOfq<$9>4#6qoKDG#ekzzoPay
zT^M;2cOiTs{PJlthG_6RWh}fFl=W9s;%@*l5Sa=ZKHNUsYan_ro1%Y-yfaBKnn%Bm
z5p`|!vS5cKA%$GR2gzVE93?X9)CPYQNh=av3SNp%;`f!`MBEWqQ$SC?iYyzTPmUVT
zuaHPZ@j+gSP*i9|j!UXlz(c@8xKIhX#CBezETt_|OTJUYN6Lp$Jb^X&I{DW~WkPwJ
zb<%ON7rA`mQnFjJK0`L8KJgc+x1yI82*n<O9%cXh8ns-p?S@|7AW6}*yd<Mgqco#1
zqky061B&Dw@&57681kh8hc&b0g~a$mbA=wWEe)~_pMRMCVEQP|QSdyMa5!*7bkKPN
zZ%S^ey-T%AxQoAAKdJ=N%VhAts)Sb<nGo3?8FS6H*E;oUY86;*srS2sI_Z(dmc~1Y
zB*`oZJSnD3M%8ZN!$M}6O_}^WlNE)Pq1B4j^8!P8)Ku}5Th>&jKHKk|myn~HwlL3@
zC#&1OBi^F~{51S7d^~(r{A9L4cDyv(w2`#kw0*Xr1`933MkuXat^Gzlrli!faTPQ2
z`UtMv%Bs_1`We20^>W@y<C1y}^L)AbNle{%25k<(W}RkbHz9dxMh!;&YQ^(hKE>?H
z?1Jy&-?hJtc25I-7(@uB_mt#@=YBWLGR)sLCM}CApP|Xu%I6;BG;VSTzvTO+O;Hn;
zDH$&rH6p9LJino0&^FaDg=D>FLBUqe-aeF9v!<z8A-0&q)yFgJo$rzUNQ=lDp%IaZ
zy^gI<cS@&Be@sWDNv#R3VbgF_^VIjFKh0X#*k>r%>X&i-WYPLwV`VA*rt9}pAMP~W
znsw}Ux%R0$lsl4Vif3k6-VpbYPL%s)XIHBBK%WKl<Ad#%$;-%Ju#{euwR4iio0*!E
z)RV}Q`G`n37dZ3uxQ;Up+bx8SaSSF5k^1iTx$~;4Nx!s?pT=dEqV`?;ZTi=jc~@Rr
zo@r5~QRBoTh7yYt_VK3>^+J=Y)#KEwo8#||&aKXi`9AZ7@kQ}rcDZ(y`!GHjzCygZ
zKCNFbUF<(CJ<CIJLRG*YAQV7}L8-y=A+o?@K)XQo^?>)Ze<fm^)hE-L$A%Dk5q1sY
zfoDh3#d>nWWuRlLpg8epQFZrqcY~rg5)~2dZ<mM}o*fpCh{Be}b`u*B9}ry-mlgFA
zO%|0-)}Yg@-w}({iUbt#ViOTyd6Bs~mfp{<ONabA`HArBjDc0>Tm8uo$Hv{#v8k$9
z{T@vRnok5oA2-o{hhg@X?#fi%=(oD<LM<h<hdjsc57O>OUFtrVzQjQ#2i677h$Q#x
zh8as%Nn%O<f{+(%+;XYYzw+NHO^i*<r)DjkDV?wkY<Osx6CyVZuc6gt<)!Ro>|@Jk
z5^fu{TsTw3%oCW2lc93bG;2?Zev`SCh$KrV570!cx2oGP7dOowRUAj(yV*(Gu^sz3
zay|0w%WlT*=3?IE`WF1s!+vIsQW>;ZrL)>9=ce1!wtd@m9Ag8pkyyDH6B~;%CD^nL
z-<Vg-QLO1Qu&6)Z8x(34QrzyOpVUSH4S=vfr|V|*l~$|CBziNqMq@w2f69}u#UF2K
z`lvsykKYBJb{5_hKD%wX!nv)jAGTd<q#9}JtxQ*K=~nKJU*%mjx2vCYsTpcJ7@%6l
zn8Y-&l+<-fRa=QK6dx5F`Qyi=?R6e`HJ@hw7+PKWzG?Gi4m=8S0G9952f~go!}ki-
zm4Y?{hHKjueN)GIM{VEDzvzDvIhDAKn-UKaFC6NPaarJ=U*ag?NCfsq#Shm0au~9E
z-MSU_!Yn^jV9jrRfZ`<Py8JoxKy;pk#IxcN?o)P1`I>##G_4h`mAkmM7}it(wDgkk
z+C21|%ltU`k)A*OxA#rtU20nWsJZl1+$2^;I#;%v@0HMC&}BpzPRM6<XTG+Eo!QK)
znyQU4|Kw`D%T~wI)z0S^)#P&XDlT1apG=?5)8N;r#ZT>7-}Fy>Ee{*dZ8{I_>tDb9
zs*LV}_St{ZeP-OaYxCKS{+&qx83FTj#?a;UTW^i`&}ZXy2DTJckAK{g^VQ<j_~cg}
zC4xLnRvCZg>%zm5S!w6ZNzRhNRDGy<OmK@Z<L{)$YWY6ssnRK0u?Ddt@k;Tj$j8Wa
z&)S=Ti?PV$xnDuwso$FJlV-}Zechfr&5cI-FRW*dQ~9MfO1ik77Vm8KO%8VE+$_(F
zio-X`yZG<?Uvr<0Z-(LyPvjruld_}u-MrynuG}eX%=R|#1FxU|yMq5qhW;hnfy^xb
zNb5fm_D|iroR$<87BX})H39skVU+;7|6KD&$NwW~|1I;K{$IlVj}~`%*W1hhMrlhE
zr+20Pm*9RE>Hk*rEX@Dyp2CLCh9EohzZt^mU-0nn7Jmu#|2>MoR6V1zi;?qR?4jc5
zV)}P@e;(uSlZtZEYU&!a${sdGb|6`mzezyE)XCV<(%#w55rO6J&=^H+-?QG9w(q^m
z8X7Cv*%;dXyGG2?(aBlZ!q5@G3}k=Log4mVN!`-K+2Z{f5!irC|N9gEcR2bJ(!cxu
zI~F-Zn|BiU?_q)r&ELm><?oAx{sl+$Ebnv3%*_0UPng(s5f~-khs@Gg(AFGe`aYhF
zf=<SNxa-f!KXmbT>90nN!iM$|rk3Uw&Hx~g3&5!CY-*$Sr-{bjwFvAS9PjO2&Hs8H
z0FdeZl&qoq-z8=ywtofkzEi-I1;Fw**!_EM{;K$AZvKIuf05GPMP>jS%liQRk6R6b
zaFA70RG-@KyEx7-DIrN9@-K@hYnT95d#GqgOaXgjUvnmN7LXvnQuNZKRoIS=7_X$T
zX@9aQm!*B4t9OCT|M)|x>~ue)aYC7L(pIZ{FRggus=@S_;`+|ZPAsvh{`qX}-1p19
z@Aq@_wj~>jAdv%T7}qZ$)rgU_9+(W8Z&B+~iP+H)p}nJ3P0>^z-H;ADZLB@j#140c
z>`(3NZW~1`TOyAuTunqQSumHVPd~0dwYrlZyY8@OzNPSZ;LH}GY!;>XaQZjYEiTQ3
z)9UT%K`FO=UUEDBFzW(W<WgxJb%@CUrY+wM)gL?LC#PTmIg>-3l8gHd@RroFv~}Q^
zDC$Xed$&_}zB5wS<7@R+UikUScc)r54VyZdKN&Mt2A7xcegr<wF;JQmmQg;5pC}3U
z8GTy8*vb@tqAyO`DL0`YfAkba$D|tp68kt7`yR*KJmhfx&F4vJnV*X&nffkJS#xFX
zTB&~Q%Gooo(^=N{ZUi!QrP%({czRrCCrIp0En|R_gQW6!_v7%?+4%9vK}Yemo*}TH
zIG?eUx{g<d&&xwnOGj(%#2|&Rb}H#>wPeq``z(vlB++B4R3nBk8UIzeFh>?)Pojrf
zDJ_F0eb>P;kC1V!P7>RMCLjZQQSOJ0Ur#~m_>&QaGZk)2>JcYIpg@?6A^64RxTr3&
zYX3mU%a)be!vGAs%+KTWmJ&7etRo0@V^x@JW2Yc;8|G{qCx=qoR&EiAY}nQeTU1O7
z=a8_X`X)_xt41$0xS6KYhJLje*jbKu94`1)JYMPW0(F5eQ{Cr!JK7RXvR8KOfmJsG
z6N~0b6kkUa?`#X{7y!dj;`IJz%(8iEWq%Es!0R0xZIQscqp<7eQ(v#@;;Cv*E62E5
zTgw}852TeE=F36+FzMJi@#gAt+js@uxX^Q2CJe8N|LjY)Q4v9_Dh>zaCRop%xKk7V
zQrJ0L`b3x|SVBIL`?ZUC@2uU(77an-`U?S4g4ydZ#JW*s?X5WWv$I2`ZLNIsa<O(r
z;}Sl0X88@oVyiHVibt8c$dWJ{@h9u;Mh#xo!@VlUe5S(1$acDFIDxDHsPquZGF2Y<
zV!isj(L5>LK;-<0L1Jz$iqV$xc`J_~9vsZnxXe5?f1AD(65?9D?|{D6(Omf(69t02
z&ezfvR?sJc(B@v}OYGr6uCP-GL_b#=;FJi@506U}1=8|HOplS}JjMYE2KPq*tZjfd
zXqjURf{+4Q0ao}2^F=`V2E6F-7cgH`;R|Zc9B6Hx2oSia7t&dX&N9NYK~-!aayPxb
zoLsPT3IurpCXpEC#mY4&7dS@%;uKYohdoh+utv<w`3PYmT4;#&%oBtA2b8|-ZM)bo
zO1U6IlDP9megSs29Mp6}G(N2I{*O$be37SmuP;8oWXg~~kKmlp+6Zu$y+XR}_Bp3O
zkLBVG1zbQK@gjc7qw$g&n*~}=S)TWj-Mj(B-adB(H8EfW(UJQ;AsvUkXls{$?B^lN
zn>yf)mWnLGZriq;Ck!T%AdGG=6{0QSkI$2xKmVZ69sEY`kJ5tJ)F&7D6MY$xv6o9p
z@W+VP4sDu<*CBeXTv?LUujokcf{8hXyeN^Hyymejl;uEfqQDRXjx%ovn^*K9Xk6lY
z32JIej)Z|7a7R>+w3mn<2M$k=1Vizf#MexWtG#md(si75RCSb&GUanXLxx)%0UotF
z{9m9ztZC@uZMkKL&I4VdXn@%{044g7=j$)o2PnQi2kgn7<UkB`<48(q&Z2E9a@RUP
zI^yO8U|rS;F=GM~m&^u<eyrW0%;$*7!iWQ-A7bqm9LP#?!Z&cd!oS1xzA;g1Px%g@
z)Nw4gpFrL*yS_s7P*z|7;o6}XyvcOXy0Az{LTRE)^W@h!u1xx|G^=*43bpE+lo5Y&
zhH!PE<c|dLL>8lzAB7|>bLn#WM(4viH6xS$K#nm!yE*AZGIYmkzd^1zU$sZ#8+_pN
zpS$4I>D@WFlm)0Mi4+<8+L2t_vl(Ur<LL{MZ{oz6rifYmj6*ZJsYr3Rm5y?oXQG@D
z*Cp?##SZ}=^ZGR4qf%=y@IarOYE400?NKiE>nDbH1b3XPW4)lzPI`r0krK>Bc<rE^
zi-L>1i|C77d!Y=9Z{gsCI)rHYm{Vy=ve<Jn$^q1LsXL#%=ft+qIv|O0na;+n!B*tP
z$)LWIX0!U=&gRd{VjeKHYP)Ce7($Q2h5FQBcL}0WCZHaG>LMQ{G55}G>*DD`HtQr$
zB%8pZ!>uJD%Sq{{0Vn=rKhw7`Asez4nY+b?$vx42<i>0;Uv=ye|H|<{DV{PIdchb4
z=nsE2{H%^k#>JNXDNYYyNR=!DVxWyni2E_cC+tSBV{!%kux#1!MQ*#ZF@-N+DzJVh
zumP@<z>qO-k})^qB&MMIIxoa?gsd%ljit_Ihw((whH<2z7+g$AjK-4Pbq(Vbj2B72
zFKd{5n~bn%$Pk{7{bexo8hOLZ?Pr1+wN8<wJ3srDQ^A<6T?N(m(uxL?vy2sv$qvK8
z8_NOZ2m~AGNB*&~iPStjJJq`Cbe@s;q*P{RAE6%)^B<h9S_=9DA2>Bx!XWaY5HhWz
z)VEvp7<S68_i+vzj)a5H@q?3Ths*HF`>=enQALf}PD@&^#MACdihNWOQj%DxXlYb3
z%6d1QN~BWQ7TVD_4;6S3`0ch3k#&aIL&?Z0)Yfu2S$}*)pwt@}u?9B5X6T7462p`C
ztCufSUWx{xh06=Dfiv?do+8AB?e+^Ch?q-;e$5DEzM@;$-btmg9Wd62o?GfYK3bOx
z8L+zjfaR!ks-Dhuz(}8-3$YN4XIr)xZz!fYz)ZND8;B4BaUU`<ebPwYR6^f{WjpEZ
z9-L6TJY5wa|1yvoSx)vTx_Zc~I!Q~TJGEA7CJEBt3#+So!)HP-LY2SgR}ZT_<3#Bt
zjMenbs|JmFz}LkCU`%>~jRnT$C6}1W%tKx_G1tZdLX2|x{9U&d<01uZx1mE!BR}mJ
zUrA;lT``7*bGe$Hp&~EeP=NwI6!tygXajAkF}Y|Ev6B>AZLY%zGa2)tRsmMRrzE_T
z+$!U$f&5hRwwR-dwP^ZX^=ZuJaOQ~_!DB+WhkXO^iz~FX0qq)+a(A6Z4g-dnM_iI^
zqi9W4h)r-;KhL+ZT0;Fu<5A`>ux$$G2{U@X`rV-Sfdq_H)7m0sgK2p&yD&b+ira%s
zl`8Gy2n-Kcur4Xu*~JC8b9RkK&>QGY!mJn_%^M#Ju`HTy0y=T|ol4Y`k#yr^H1ec9
zt0lymy;M(jl5ft<Qo487X7ua0d^+ko0~2n36Wd0O>LQnwca2nXLT+d*wc!sbD7I!P
zj1!C+;S%Yenqi0Ye9Xr-lc=RuXNxKWY|HHkp}fh6DK`g_<F(Ijp%n(FcV6dDW7;(i
zo~8b7rmoPPcEcN6u&HHo52N3+n77gU9Q^5*o{?WG{$;ALZj`LQzzZ(k#+E8^5~vz=
zW#lfH;vVp(s@TNQ_Dr3-ut6hlfiSujfZ(^jHLF-vm4EP|1r7+}PeP6}okp3qK0tu!
z%XxiZ9M}>~iWToBDpJf^nZ9=C5e0O>+MGaZAp0SBw%*z?V9Ish-(#V4BV7Q*f1e`=
z5xj|-KF}*zeV-(Iyo9Gm@P)agn3=+z2v30G_m|=NA{Sh__+qot8&{`wJx~|47spaU
zML<2be`Co}prPzoLA?kBXP^Zg)aeEi37`i%GlKCI49yfn)u2F-GOi2_NX90ajLOJ7
z{U{@{F6TAoL&QRylFt^Kl{va?<(SNH>5Fvs^md=>>+3^3$16&jaaq2=1NU{&zT|!^
zW_a<EC@J;mOJlFB<-dkfGEQXz_f1_|YWv3Ew2JTfIgNXX4%E;32HDvybp3zf$A5MZ
zvv9Ek|6#-bOn3YZU;lroOi@i$S(H}z9bSwaE&n@|{gZI9Q?<4HYd12>zcNSvMlsg+
zRLXym*q_2bAO>K0zxaPc&Hv0E{R1a|XKwyS9MO&KvF!t(iJW^6d`b|8y2B$@EhTxJ
z29_nDcGon;S_xQtUu@!pCP?v~_@{a>(eb;TXS%^ZBz-+(?m6fn*XfmlG3*}kSZpxJ
zlzc9=GFyzhM7m#%w?BKq6_A4I{?1xQ_G9b9tj}*K&nHgQ(f4cL>zaC@zVS;Bo)1J%
zB1D97*O~B;JTK`*c-H51pX4UxqBo3YdXgQnREtkZGBqtCHn9!av694z9XcO`?S5-=
zGevsU*(B1DiqKlU9e!x=zEmBl5NVZN7pB)j;EbtO9Y7lkaPbAVWwXclzs&GIZU74l
z>pv6B@=xOLPgd>UGyMPH*#C24|H4?d|D;%Yb|zK;J?kHaWnp`#Stb_X{}W`n*x$MH
z-yHh~T>pb(|IqP&<5)J}dvE{6vFz_Y!+&rrD+}k}q5O+u|IYpW2gm-Y_&+)JUs=I_
zIF^~6i3|8YgX}`On@+<1kD+r)!$5R6xKJ_K3-mH%&LgU5DJTp<LO?%73&yvSoMHQX
z73)UJ)2j7Fxz*WAG#gRw2Cvn{Gn*x@;^M}3Uf!nR=l1M~2&<_>kKgY6=lgRBJL#L}
zZD*Hj_pcQx22RG(jiKl^y;Ndqi?H~CZ@Bz0v)>&}>ob2wdK32&m04=2$U9K<pJ=Ew
z7X|;k)FVzrZd~xE2_LAQc4(APs2F|=o?qmsE^_ZU=~ij(s4MpNX8sxa)P0n78gY-d
znhbqZUiuc;Y_c}3v94TY;3eF}$qocklL%4G`)!ySz@-D8XebOZU<}bo`_+gshVTZ%
znN*T?(euSOKez}l^*%`Qhx<}=t_SE>d=X4ra)Yw=eg84UzAdyQ?4`O9Ky8RvTe*!!
zn`!su^7U4qPcF8_PD1*qI7nR>Y>p%!1~O#jS<gR@0QGVA8oLubQQTC1@_~H%{BtR%
zS|~<9-~Uq}AA}F?Q|v`3Q(wCg5*6g2o_f%M+66uwj`U0diP5wkx@7Q>2ww@r#1;Zt
zbX!c$iP}vGT>JJ~r()?Sn^&<RYq~6G(r|9jj5Hk?q_t9EULQT71+-qSFsl!rkOI<!
z(pK1NHG7KuCmexe%k%Z6#`TF47{G{?`8v)1qF`C}bQ)k1h-MjT`C*05q~34B8+g4u
zZmK*vI5ar62Ld`RyDul!Qk%Z_1D|dLtY02CVGWpY28x1;YN<_>yUl0_I0$gky@4Je
z#}ygFUnU8CW-RIT%Q8l+aT8F$Un?f{TnQ7LK;xB2L)NqjJdju|-iR4g`ZlO;*`&^)
zhAVS|2`IdhF-Q?0`#GH$qyh|BDX6WjudT)FHv^=DgDOBz^@l?gNwWGtYEb+NS?ysT
zMVu@I0b;s4&;c|KGFs`c2{XeS80@ErmxW5V2O5GRK}etvz`P-<b&y=mq0u#My8beu
z`L#Tdzy1+6J$w0Ocn=o1S^pS4(G2P`yk<|YUM4iYCQoNve#xBJ2fYpMRfFDo_gI11
zb&r7)Lm)mQr^Ja65TC&{U;6!W$JpLSpk2L3#6&u1!{GXJ`qFa8=pJ0U`f|tk9yu^%
zrDJ#x8aP$&5j{~4$}+rWOD|sL8QFse#?*U6PUM47YPp8@(1ED+9-$KfAe5SwsiK4l
zJ|JpMYxaa5&}%tx*|}zBd2MJ<4|reGnl8(o-oCsxvWEg}Us;>n0|J}tT7xDgK(<Ep
z5ff1$*Sc2!iCa*Wu@il|^|H>y9u1ItS!ZMq0hnCh8aYu2VlZ@KPLEgynL81uBQ8U&
zWK5Y6q*sC_jq8IZT0y}2mHs_KpbZFEx6)mdG~o$6Ual~$51z0BmM>SB%=H$f%3`LA
z0cn@nYBVR!@X|ejE}(C9n!RSs=~}>u<@uUYGv$Gzcv<LlFarMcAP{y<>Xg~1^j6U5
z%EPkzO2&j43IS?53$PGmR!?ol8ZjXQoLl)&n>tt&D+``p3R(l{fUZ_{PUEt_aU<^s
z!^k#mvpQKQu$W+q?gzri3e1bmh{Yr43f4+ADK%u7d>qk=XV3LlRxow3F!*GGH6j&{
zO=DeD5>^lwPb&oJG?U|R!ZpHDrX;T<UdP7P9h4?5ft@fPPe)P;k31}%WEEZ}K_f{c
z0YT;)A4G;&vhE$e7dK8$O?esTE;&h&D*Tg}nv|M6RaQwzNrolDgkl6K{*X+RY))uV
zXgoKz0AP|CY(W#oZ9*@!gP>U~d?k4$;aCbnXmpC-QD`3_Gmn$WOT(0;P`JJ%TOl)#
zk0iyD&Ws|)lkLn9WC=GRa{+!e;cOfu86k6s&5&b>G@%-?oOgkd{Cvw5C_;`Wqgx!e
zT$&kWf;J)$4^E~Q|Nf67)>@5M2_@lIbK)cEc%c!KcrvLwVo5T|92P`L9`auj<7Ble
z*uogH7^0>W@e=W&3g3-Dygc*OP#9uH1qJ>j?;c^Eb3(>+IhF2*SE(z+5eJ%QN>ToV
zmw+A0cp~9a(<Zsy5Ctph9k1{%(#LN*1T@cSdDRlpao&=q`mryW@!1J4Q9IRSUvg=(
z6>q3TvlVWbN5sj*OHYL3QK=sJM!d+*<2!^^H;NAE<2i(VrUq3u;BGS^Ju-LLrMjdX
z19!0ElS@aX$wH_fNk$OKrV@C>RkO%Fg5%{Acto$rMli`@lqZI$JQH`&Mg(cR0(T6h
z_(ZM%BjE9`WSJ^XM53s%Yw~r;Ch}C|un8zZN_#?|CD`JhCC<oOLw0QAUE|w@s9TO`
z-IN&JVo!?dRwZpoTa$LM<I^Q=NmfK1NnM%}JX`&DJZajaceLWIC8~;G)D;^7cBJBI
zOHLe*c3I-3OHVN3BP1C}R^%Ls7drg%03(lNs}fD|88}iX24~trBUrIclE9F7Ycv}Y
zF3Q9c!Fg<{!3nVyT&Yj6D+04p6HChNE@aliBdR5J!D-bLnxb{_1wjR=1z~Nr1$(p-
z_(CH|2c}#uO_5fM3G;Du<eEZtDL)qC>GI+h6t1n}Y05Mul>{*WmkD%angR(~@}%kF
zEXfqQa=OnJ!g}%bmMu;e!k>-`BMTBufRd6_BVl1!A@MtPlL+J^n6742maHaXRMdzp
znPng1WDv=>0|J#K6v0PSq}qff2^97a$ZdjlLgIl!S3;6Dv1<x>1S~=QlJUYUT#2Dm
z(4(3kWD&?8&}7L{(WGMcXWZjY6na%e%!4sHVjXe=9fvh&2!vTaC&q^D;HfyNPzlO`
zOsE9)V#Q*SiuW`df@CmYU0gqpFdc#3zszKKWQVy>ty01gDo0LCx2a;8E2TIDBLFLo
zSQD_Yqym1)@3E$QPcq1w*aA<%bcn>%WFusfWIhrYrGgObH3}?QWYPUH7}D&<C1z~o
z`4Tc@ab)N!tQl6pin9_%07Z$wdhV`X3NCbg%j59sx>tnXh@2>IVQW*vuaGZLzEJ#t
z-@Fefrkf;hFy6>r5JR!QF}(fjzLUNYz97F~y^!0+oz}N#trl-#UNAqvwdPNw_P}oW
z^q&iELZACJ_h|1GHgUW!(sly+97`*Dtmeyl(BfPA%-kTxfaGq&#P6YNh<l!^*B4Vg
z{D{9JJ;F{cuZ>of_q0|M_C%W~r|%qY?s45eaJHjvzXIH$cnI5j?-W4!r#;IQtNzPo
ztG?6lcf`NJT8K=&6q{gM(GI}yTNurvPB&5-o4kw`SI?p?8ykl}HS5r4P;T#R=W4Gl
z^X*jafPTxYp%uQ3)~xhY>>=}l!|!;zT3CN6uiAQgX<=9w+SQM?2W!jG9`A>4_!~o5
zmSsDq=eN_m1JS0_ndTLS$PJrSBbnw*>+vQVwK|)09-AzuAFDhByp>tVr<GYLYUD)=
zKeXoCsv0|Q*VW98L~cB%w5Hnb8nf85RI?UN%Xwgt_QUY|u=mNPM(?oYHKdiKogywn
zunRjyN9+{Eny6rAj4W%LagEb?qq2(b#9}PyY(duZ_<a;sQQ`#1d5U3YCwvXXGoOc%
zU8?NZwAW~P#(0rW$9TuAj(DY+x(8Mwcp6V5c-U7|vySd)<V{_JC}U6W>Bh6pHK+MD
zSsB~cSerZ7evRFEPKv#9t(bn2_ew2hYwu@m@9bx#^(r!_xMHn~;F()}f7K!K1f4=>
zm9E&vASU2I(m|d;Mq+dMr9v`c7^*soYh^CxFWOZY_Lga)YDR@!zS_JZ_x*gP_NafN
z9(%SqadY4|_CAs>g)u*>k#Y0hOn&lRzCZ3V^vUoEL3WGyARW#-kV3crjU``Z(nelN
zj_<If_DRQv+A5fvPcuxuiJU-3pOSVTKHo_Ff*>B+h%I+Qk9=hh$XD^Z;se8nT@1xN
zsw1|r716X(_o^b$+^qC&dwqdU#Bve5{G*OtNS@Blu>z8Zsg{zW<okZrCOaHRr-%ms
z!i`vmr7Hi{E|N-F&tm2K^;txfOD=4-MmDaF$$F9AnLs;?$Prk2Mopy4ODS(}w~ijX
zn4Y1bm7hpgmE4mDkpwP9+#4WPf*tMVm6V@sq@>AL4a+}S+`J>{2e(GTQn8Hf2X}T_
zGnq9>*MGB2@j7NTn2KM2rGN$13x6TLqNZo*ha`7rXD9t84`)Oy{q`WZpkQZ+`N@-G
z{*{R1k&#OA4RP>+lE^5eoBC(wtPLm5cT-!K^lq*kWDpdA0Ide<qJN_SvIer6e^L%K
zTL4831e@Qk0bU8LivhI;1a^Q{4cxq+l>#)4AT%5pzXlw(-=o2&6vR<~RQH}01C$Ft
z76k;e01O2rGyhZrm=u)oZZ-utgl?5B7=~EXD*=WShztO%42-$Iqyb3^*kAz2o&pzk
z@GG+c8z*EW1ZfW(6QPN}%obR2fS~~uC$fp3GZR#a0h0uzs{v#{w*V8EhTxZJ)Pk>F
z0BEuRvT0bduTTcymjIL$LAp@z8300x09h#5HUK2Wu@Th`_5mQ0^fki~!r5QHhjEMZ
zf${<G<?kiP@4UxtOZx)(0pA-s+MlrpXX|{+>4M`z{Q~C#@8N?t1Ro5MfBu&61-Ls=
z2kge*3(uD91&sU04w(1#rki%l^a6tuNe_zAZ@<TBOY;KB9iIm}3rgN^sK<Cq(H@Qv
zD#kCQM|exn9_$1*(}2hwYz_79D=z@*vmeYE<o#E#?)99HYyY)|5VT;eLD<4@`0H+o
z)nKlHRlzR#TlcVUS=nPPgI7VR`;GOOZYkNrzi%0XY6?K?fd;@$!mf6!*?(FlDJyEA
z-tV>f|C+~XI5j_*8bUhA+Z+@+Xz6Yv1w?Frd<En(0rC<s@GV%x9tb9)aY!dYt_yHR
zPJ(gpPYN(nJ)pnm@iP^~oB%Nun6f`XivZs+rs|igv72lk_b&ctu-`ksFt3a?&tX})
zmgj>IFZSi)xPv$yxLzGpro3u3NYX?Ivi8GHe>yrSbkNfDo3&W?GdQ%jC|mqgysU7)
zPE`9nwAG(>;fZd&7Qzp8Oe%7Jd1g#$3!Ay^KxxV#K2JIRrd_l;`?_%MsGr%=vFez|
zN}?!oY%>u|dT{DhSpLju+lt=1#w#}%TzPT%^sOsu&EsbmX1jc<KrI#eu2EGA<sRa9
zID<FUJT<z(Q93M_JUzO(d{ZiIDE$BnVyo?|yys0TdK_e<R*Mf4d7>5l_26Bll<}st
zH!Y$Sy-tl9q>JG$Mx7R?9{Ppmi}@y%S-Mg2$VQ}h<6K4wXByP?ni;fB2GurLtNoA5
z#$O0CH??W07|?Kx`1Q#cu)pjyXDc~|wTS4@F!Wv82el}jpsD|AX_3?U-F~9#`KDE?
zycTLK*3^QLO5oBgtV8|@Lq6<zpz|l+rC-;#Bn@pXbiHJJpF)Bfm}BPs3CgGxH7C_`
zE1PbsVGmfZy-xh&=EDMPTCYXLstvRG#B$7&71X-q#Vn-ie)1H&$IU(JC5g%HpUQh9
z^l!}-8MQja$F+JLERGYd0JqccCh}Ddb(_St-FWVp8@pvvZmc}51TJ43ea-FGbv;+;
zf2uhU+zr?gf21|F6}N3}f!x2-&C^|r+P8Z%5ih(C_qyRN4nsl5@aoq)8G-HRn<?G@
zt-RvX;`-7xk(JdY)Y*B01KS_KDf9_F#J<o2Nq&+ia;+!p1k;l~oCq@}g7QYI?uMCA
zTmBcqZHBvE2S5))p5$}Icm99_QwNdvjgTti_SK<NmmB1ID8E(u!>Av$S0I-O-v8b1
z{>IPO`y63XTmHO%rn=5gfG85B6pR|{X3Thsh4V8#%=EjBR&CfpO^j&#^6G1X!zX8p
zCGPD;O53xyADX@!-}Z_Iv5?1-7nbOC>snkDWnEMUdZDlPC+P1zcufoIrNhl9GMGCp
zv<!PxnrZnN-NISTuQU@V<Z!cn_F8I5gUwA*CM1aRP?`!U$TfaWFwZC!4ToMZk@97m
zx2ZI5R+&CD)*v<J0Hg=4z{0vE;lG=SkNQ}BoM2dmR&bV*rL<ansVYja`s`&*gZ)g#
zOiep?rgZuv;<2n#nVRvk*KSJP$MrPj%>00lP8f9@ZgzIM_e`pCqS-op^K5pF);fUU
zi?3SIEIMXp@t&%<xoLRx0q!y`r%lO^>0G4Dii1I>dG_2sfQ(tI=0wUFf{Nt;xt@9#
zJN-oQzDU+aGIm_C=#kF~jx}z5OZP^c2bH^Fv8c+!$68e@Rf8;bR+woj3uov6?MA2&
zpv=TlaOEo-7NSO_Y1t#gM6Qv6XuTIlj>YyN_QIzZMT3i@T1Muh1Q!1+8IiVKabm>X
z4_?WV$`B{egTd%VzLu7bbU4nRMWG=oEBmEubyYNkd%1eI=a76g9Ydw#dFu+Iq&?H0
zRVyl_T^_ykXswkSn-ILzDDEoWq?UST6>XOy@!rBmwMzYua?)b(jOayE)t&bGI3al>
z4v%oTAZ{UjWsGWdf-$OrLN?R!^Ez5KWYdyu)()lWc0!uT-x7=AznIF?+5{rnIE1!*
zbsQQ7AMKjQIQM04d$t(DZFiZnU>1AW;cQ6cIY~rPpVn5*UwK)iA<SlXt!9^XdaCi}
zThKmD@RDq_=!-UTayNiIs$^>3T-X~;X~Ismt@A=w%a=c+Cp)q2C~ZwpFqk2sO7voL
zi(fC-fL8BQ^R$w1lj4VqJoJFJKoXtnfUw3#v3<QH3N|T(H^5CRb(1l~6?w2T&O3eC
zo-S!3oMvh-|NOfEJZqL3!pD!d^Yz&Qe@E+v4kp+jzP(;xl9+Z5%uc*klGPx~Q|fF$
zrJW-DRIgF%wv;nCV?eLfX-Dh$xw%9oNx%BYt9_q}nwvcD3Pdv}qNSLc4EZ>bu;+U4
zta_%#n^iW{Y1nffj@XL3^ih!zNzDb$xQ!>V@?*Gd?={1PWj!IEYPo%hrDKL>>PHIn
zbhW*yzLn#_BxM&^mG*%%6qwKLt2AFf%9+>n>{e&`U6Yhxt3fX)os*sDyb4WQ>Cz6x
zQ-vqy)#*5!qP2c3tE(*ND+STg-=8(Z8E&fWA>&=>*7GkdF+-Vdyt)!+crF6!S*XjG
zO#xnMQQZYg&1Y^1Geyb4hw!{rCn|wi`BKBwd3AFFToHQJq{5rAn7`ff>R2PCGS-A~
z9Vtc|6;E?{8)d0#hvOk3I54~)Lzw3Ry5OC~Lbzoosmv>SK;7}9x)?%xU`JxqM)DO#
zY84+3Fj)og`6b;%xGJA-v#4AIEQS9UdG8#g$+E?3w{4r#wrykDwr$&*wx-Q#PTSVB
zZBE;^{q^i~=In!g&xtSM{&(Z8H>xVLDl@BcRYpZUzqRsns-@65&m4@P3fFgHt9a5g
z|C`Y+#j{mps>#l`XsqTde<^VbnrMa<Gp##H_m}efIj~n=_ge%Cc9ly7W|2&4=0HwN
z;^?rsZ*xalG@@f)A8}GAa=n5^#Y&pf;=k#cx^8{LzA0@&*v`1x+K0o3^NrwchdsO-
zKRaWz{TVTD*uk7}ea+vj8sV@Zik`&_ds`^^A}%}klM>hgr#sLxwe1E)<;kwbF|=5r
zSR^;JI15j%r@S$49~(<~ORWd+d!wyTPW>Zuwvf$it6KD+O{3X2{>&T^Bf0ENOa~!i
zuOGs<Fz$QbO3*SplqFI6NhRA8tBHF1?Zo1k!Xx_zsgzNapH9`Bafl1plMhW0X<~$o
zO6<qrM~Xl6k#{Ii95jX=ksKNkSkZ8o@w_JNoV`@jp(1e!3wh-{s8!YxXn}~v8Fh&~
zuvMJol!=BvEUCcgN_i<;DGpI;=jNL3Mg)%2!-cC&WawZv&O}cQW94g`8J-vmMiNi9
zA%{hWQwI!I?IjLQ*2*j5lG%NXj7zT0$YS{PS7VTs9|AgM%^Y#nQw!Hk$2>SOm{Z@q
zfi>t7npKVIQp5||$^~`-i|}n-lG}ci%y7am$pe=hU}Y3;6`F`AZv;jo7Rjcy50hEy
z5B5FPOTXqx9(-$zZ~J_l2~LB&TZDv}s}+N=fjWzpi8X&0VuR9psZa0CKB<ej$Z*xt
z*;_KVIVfDMBXWl5IcXzLR(u7k$g*Vx;B!*6HUkvO7tQHDU8nrB9hH5tn%l;A61P|M
z<SQU^!hqgHQk`+MVoR@k?gn>nz@YNv&+t>9?A4f<Ldh>|G-Khlh!&NQW-=@UwxE5B
zygGeNBmzJJ?qSgQtQK=b_J$>pN~Pvan*{qa3(D(!i=3IP-B>Us0-rk(n&dH8O*iVO
z5(88Ng<zFNVkQ@}c;w0(oei6wjs`E)wJFDUEh1Gaxb}kIUr8u;G>zp%Y_DJ8%7g{!
z8O-qUdr91Q&+zmyzdF7&DGzbQYp>4%QW2F|=0<uQgi(qXjD$Nu4NlE+aqfu~z9+@)
ze`{C~`1;wS5@X4#Qe`yi=2~K2V{;P5yH-9d&SKa~YpLq(iZi$mT9&T&iqrl;-Pp3#
zr0evnOUzn_9BW^JzY7M7kZ9+ZgCY!@c(2CI=Sgm=`5X9aB5D~3FKs&fr<k@$HLrJM
z=+DPv5HBNF1dN*xqGdyFAnSOTBKa6}CSj>tl-3bF&j@F@wIbmuIV-*&FDe}rR9A>3
z@NDQ@9oVd!rrX@6UMWA?Dt+H^oYxn_PWywpWk@V-Wp-R%j^bu+1r|0DwefMJaQL=T
z7`I+ycpnC@PB()tiA8;Hev0K?P`N4iUUzUZ<CdP4Vp~Qo>X=Fo#+_!$J9Eeg?c8xX
z#iwl__%7PJ1#MRWud<6qUr|7sLvl*khYSwpLpWd9^(@XX_DA7)_Z#&rGGHEUum@&g
zGo6hN^-r0?Fk;9jFebn<szi$U(6Egkh0|NfIqpTm;m`8%4&fl$V8o`Suu!ZjaI$$%
zU--xM4?-9=Q8*l=HU~x=X$7u-k;X{LV5FZilEg`g=cXsDIbOYJ+FlPHc#TI_xgSC8
z5BqZM5Q0$|&5GGgM8pYRaL46sps|_pz?)Q+!kZL?qG)6wcry9ouDwqJAL|VxE>qai
zVxsrD%PR?Th3N15H6lKqBTFHfm`<*->6`uKI{?t!g~49{yx%yMm5qh{H^KYEP3<?;
z`jg;&z_b6RoK=vLl2(wW5^ylr|104v({Bg4e=u66Uy@#hUu5jJT=u^(S~m87VYGjo
z`@4yMXS5%9@9*XP_vlprk1^UmZp*J*^-qlUkIwjg`~K|Vzh<=m(XoHQXjwmm&NNIP
z=$DcHLkY}4&&2V6X0-pRHU4m}{3k}s#_)kk|G{XbjrD(Ntf79{#ou+u1S}t7^FMhl
zGxI<5+CM7)!*}y<y!PX~Ul#Evul*z8_jUg^n}63G{{q4v=l|CTXH*oFpN%*4%=Gk3
z^u)(MQ|kc$_k$3Se9cl!1>0=|FfWgs?L~pe-h_{39RYyi-~H@YCn;(p0h)*pn9t#G
zm7ssc!q2N|V*onq6~e{eA*f?uL#gx%hJfGLHU}H)B_K~Z>dk+xtdn<@8i9$qh=D-}
zCKv^(AT6zlX@w!fP{l;g06~AygIWdjNYH0xI?fxZUm3IC_&7{B1~}h%P~CzSX3x4&
zvRHZRI|GWr4&<*T)1;Hb>(c7$12YZ;(>ecMf~4m+;&%%SNg6AaLj6Naw3r%x(w&<h
zQG@`0Pg)*KKGp&u85P36x(iN;pqRWE>JtX08pazrJ^sUX*YHKUfd4Ll94Z1mBZR<h
zEyD!^J&3#KGsvSE7n(8Y-a`lgz-%)g_J0mIOn+)Z{^1q;hkxzwUis4+|HpWv_*q3&
zO!T)VghtTT%IKrt{zWkl#q=M-5T^ej4EgB$e+WZZ=-CJuS=s(|;Q0%22-E*BaR^Mv
zId^c(X>LFjm0%jD^05ADofSNP*Oyo{{ve#IJEpqheB8Id(|0Dmz5TZW_znQyi77ZW
zy{jL_TH8r9-C?!xWeFQ?H1{R9Ck9B{An?x`c85JE0u*3fd=TnVYnvA*TVVq~JxAbb
z;hAtc#)XbyG$q%Y^vDTP<~QuVIaiWuj|FsLdmQ18c`wNdzjE;2e+a3=4s7DAoSH}t
z8Pe&A6$Q<lo6SOgykZYw)62LPoz#^eZGE4SmXIKkfcOIY&NBb`b|5CmWhAw`zP4_K
zB?kVXNh|z&$NCMh=Z>TFUv&CEWFk!ekcs@!HUHV^e?0{KbzlGcI0U6h^J{dVVPfX^
z(2B4!{%suk@KgCqr-%Qh6@g;?E3F6t^DjZkpIVU*Tlzn1MVS6wEAmIe?+gAt_WZk6
zgr0-#V?6v{qt9-ds~5`d{J;cLZMxNPVVvks8w^&+LO@8|p?FaO1;LsYXfULBy{7OX
zSYgmH5*_FjwXQWlR7)jNU<)}ErLr(oY*wWcVYwebA>I>Aok1>@=le9-6Q1vGY>#92
z9Qz!ysg5Qgt0WPc8rbAPKP3usouMt$hr9~T^*_yJHZDSP`Ebj3g+Gp&(gbDJM3I|y
zsqa&#!gKYA=5x<3%4x!<zv)F=8G&2HP2j9F*<FHG&8(Y-WX&ioEMya|HU!tB-;~SZ
zSD$h>y66X<5O5k3<1?mdVm&<tCzIdRB3nDh<p3a=c&!Uyl@!Eo34<(&=Ryn@VCg)t
z$@8PZeSHOVcP~{5woS$6eItO~nb}xKSl7KN+2LYynZ;e3<04}J!5U~7=mys2rnPaj
zrY-!#68@ai$=$B|%ZNj)1<3bxS!tDsCesYgxER%9p+nXrK{S@+BlQS%E_E~(O`c%U
z1fj7b!$Oa6hMx>>(CNo&*y<&|R9y8p)1OU<htxT%WpHKl=InRm2N(zF#hAnx#2Cfs
zuT$Nnqd3A+hn?a>8I{@253JmkWJT~bw-?#ea7C4=`>b~F)xlHH!c}Izr__fQTvg0)
zfMxZKN~tf@y41i`S+(5?a2xVglDm~9<YjWN4PA3Ru4Hm|O8^d^i%QnyX+DmL4;j5!
z<Qp;g0Kx%*Pu???W&7d#zjpC%fD7LNcy7MnJ-|JnJ%Bx6JwQDmEgI&7T#|P9-Ev%{
z#^LmhuZmvr_ZNve&~77d7;X@62nC%4+yY+kUf^BOUcgl$yJ5RQyCJ&)yWzUQrY{1v
zL0N(8{HUQLz9QKW*#O;e*TcTRxuCv)sX|>0;K&Bc3UFk)_;dkM1$h952aX4f2g(YB
z4FG(=7$4#Y=B(EqmpCv_+||=1#7}mS6UQ7Wga>do(Ddx*>F??1+_l=Jjp0L9g{B5v
z26hHuGcel-*l6%T(>2!hxhtv*7Q>at4%d#x4z>zP4N@!Wdu8_pl|Pjq+y;IZ6pR|2
z7MvEC7L*py%c}V3ew!9d9q@=>C!lqgNLO%|f*zzDpdGIr-Xs(?7#bi=m#)7_&X739
zk92l)HHZx04A>V?H2`KHQ^0F~upGQ%;61>4epq_+6ksJ_Q=nRZb-xJ=_Hfrd&~X46
zaBhB7Iml5EN<YjlCp|2BRCZW$@IrtDe?~ndIjBT{K7K?w2x*WNen5Iac2o@bNZ@`T
z!^j5)FP}Vr`7UuikXZN~z#f17E;-~9`YlJdBrSGFKPv+0K@b_h5CBYm&RDRf$R>O4
zB|Uzot(_>|!7%I*@!%Oqc0UvXOmQG2e-J$a1o&RSYJM1%uzo1ujYuFOe+U8`2;dWb
zas(g{V1bkwFpzFc05w4993UtH07k->F2o%42Viy>93UTXA7CGrWYo?S(@${S?f?&%
z50DRti|{AFJ^&tm?Opd>u3e2?Y+Va#=TyWhj!qGD{yd`8>l|Cq8;-;-%$nJNtx=0a
z4ZJJ{5t!Kk_`vv>)g&h`lVLQ*CqTRaYXh_AfaeA^uJlVX8`c{%(s!i&?SO4?ZD1z=
zI-m`PD^w{@#v3G7Zy&}}cHf4mImopf0yv?cYg&D5O24F{2YtbOfl`I(hU5mMXxlxz
zn(|~X{fcoxUWEv44FHn^J#y6Lv4JT4N`HYc3CRt?t=D^@sJmj@D{Zs_zGB%cZG4PJ
zY=UK&iO7^`--yVRV4sY*ZL;zuwjM$~Fm?{28Q8m#_=;7nk?0C-!vv-YvS}(T^@rn{
z-{u1F0^ovy)B=G6Dv>IXDmDWu_Zg+I4x|>K6ULOz*>fo3sbLxYw+SO^wr{1F$=Fkh
z7|EDZwV27@&XI)Qa0$^{7aR}XE|3N~su%~(Ce5Qw)hDVNY8rwv&gj*&sWa=dZXu5K
z=Y`5-<^#*X)$VK03|B{5LhGZQ*^X)FGt27BSjy&pL`7?=H&)r0toF9VIRhVi%sZD^
zsxMTjfU<C^)Kr*g_qD{cFo-`2aR?VB2yu*BeF{}Gf!Po%d`L$mvF+;XA|h7MssEdG
zL;h*mA2!HDv}0uG&(LM2heD5p0k{L~-enhvyh0NKDCAF0fD{JM?N8rjV<+Dt@;4Lm
zgN0x|shI^lTN=ez<0)$|J6B(??$~wk8GZ`7WjH3D4=vL!gKwffuU#|b8S@CQPrdzg
z3^|Xh6~3&#`VBW#$3l2G-4HU~@$XL^3SjVHk8l?(3IMX7qWv%fKQleQK|)DM_@+yl
zr-t%FPp06qT8ZT1NH9N12`@5NDS!#UjKBE@RAkP<Ndb}u8}^gnr;r0e0S@$2vReDs
zhaqMr64+q1@$&Gl=1mXR1lQnoe4)#>Ojo_L3hrYJ_1P<V>wSv5WjUsrPcGvrqf^VS
z<=s9y(`z68IqngB%XmyOA5n&`Hc{J9on`1;i?<)n*YA;7A6M`1oL<&39f8vbhz<xH
zDegn{3Cq7WHtCTcSPp&`@Y+u!2P_486tKjf$$zPfx(nRRpUH0q5MB;+2Z%%5nKc&F
z2&f1^$Pb19R~%TYcubEUxXce!4iFTfiFn8x9erqmv->Fo`I+_@cV1?GxvWvmwq{MQ
zecU4ox&4cC>XCz1$sRi`B1d#*a=j<*nbkctmF4wIdF>eTG;2k9+h<sFDI=}L`K3F3
z%`OpRDIRne+FP|GQ99*-<iyPL=A3IU*}+Gmo3<JiS>@xbdEjyjCrf2Z@8hlcV@=l@
zVms~Q{(0+ii$>p4t`g^)rs=zR<#I{pd#YK=?gFlQmQQ6)_UaL)@}?03)A8%yBDp4s
zTpA&a%_35!6lT8J&4wiXz${?&5SFqMG#4J3M01UJTBsqFbu>*d^-xrtsVQXnteI9e
zlBU8+aok+clpb(Wu%AS8<JBTJY0@W)SXLgsE*F@dr4)VPivOHQY}3h}j(mYG(;JXc
z%N><z>b|!>>xspA%;U^)&0WvIlGV&Hm&K7em&N30;%?$Pe)Ztcmc_*Wc9TIFQ&c;w
zn5wv$x}?6Dn#DB66!og;ILuSzoa9-!lju(Bn&fVh_(g)FAPdPkKkywi7v;@b#$0wO
z+W_*rgpG_!T7oOtxvWZh!W|jK2$G0fcTLb&NDFp+6dW*4unL?elZ_|;dAr)&5LU5z
zF^aLc)41VDan~K}xK?5slx9{1NL|bhQZMf&P986thYma6CS&g=HT(vWlUsUckHwX$
zLV6Z%>7N!sT-2s&=1r^muCl}RrQ43Dpm&EZ&IQ^{ryM;}t9L&R3qW&cg!V&9ECqwP
zn61SRJM?_3w&3=ny#?L~`tU!AqsshPpA(^1!d@`R3$srwkxkWISC<G=R{E;GhI^2$
zUa@R4I^PGis!S1c7Ow8m1(nHNYvS1&)bw+KB=H+1PfMEt+Q~>oOL#o=$nB0~Wp0Ib
zy4C^J!m{!5DeJP&5-HrJ@wobIi`mrHs7R`p-k5rCR$uvxrQk)}a=BM5%~tFvpZgHR
z*^U{Lnf&pJN>*Ut5{;?tZV0o{V7Bz7?{Sjnb7OmNr}ggpJv6fJ;8jUK$$B!JJHv%@
z3%So3&UN}l*PO6e#qqO>)|SCrb0+7ZyhlJ*uIhpHlRC(?>sj&?+EYMBUiJa~dZRy)
z=%+7)15wYqtT9>!+Tt$GRPW&YIC1Z>@5{vS51k}6A-Ma^(dFz?KN({9hSwcy&Ig^v
zT4LJJ5CjqT79oteCK_~a9^ffJxf#3p6n+jnEU~Ko#BX{Ud?L1#VfQz&$W>|aOPW+@
ziT!zCTNg>2J7UgJp5tprn`HkC)e>Lvt<;>P{F~*0MoV->5%z&-%NLtM%>$K|sB1Uy
z@<JAG?`fSeKDM;>ntj@qWW1cv6xSKfme8}j=Ov%m+IIw=ZeBM%zR|3DCo<3TU3Sb{
z1Rm+*N3kMWMl)dRowOfkjV<O>Jfbm*Y}Q*Ayb|e$6dq~EO<$>=%MKH=e4ZzW5#MpF
z^Y#xxJ>qn}B|i=?%2ZCnc|_?Hy-Q47i<!nTwF%fxYkHNR=DQwfd&KbOz#k$%CA!S)
zd(EA`7QNkb7@!Y$t)Smxig`<{I~c)F1i2$zBTigmdK->cCG4+#_6&-Gg9?UA$kwd!
zU`s=7=_|`CTPxRUbT-K{=9#ahp$aM+`N=)X;hS<yMMb>ac&EIL7=60cc4w+#@|f*-
zt)W{Udp?Fk>_~Y1#j4{6rs&uXw=DkHgA0>vi29Ui%>0%bsu7&=+gje+iI<ZWTxWje
z=;+`{hwa{3-gXUHZCfZ4c`3m@J40jkwVIMx^jD5#j#GT%XP4?%8a~`RheDE0HmXY=
zZ|}NSXI)?TSN`XN9QPGjzN_mUQ_ikCx|5}ed0yVE1D>U8s#nR*sdJ|=st52}JX75D
zB%XGsAj?r(`XC}DPKPq*Q7X?M5j7D2z8NbbagYc(eRO@IjP(kTtXX7-I<l*5kLW1Q
zd32+3WD>A2GasG)FK%%JNRQ2_)CxgD`QZXvYU^EjJThlfy?UER*yxtgIBrg5f$O4u
zw_`+xp<%gOUc4sZIB_GV`b4^s2zk92cSf~58K>1NY_mp$V>#|laJV%-d2Peb;d@1r
z3y>2X?;-l$u?A-4?`*!CajhO~r7>S9FDXqKB44zo9D~#6HTEZ$=1tz|3}WBKjz7KY
zj1a!-FpT>81<chSdHI-ln{Y(YIwX&0DthmosPk49l{lF6MIO!+W~uNRJ1pf-$8UY>
z{&E%oSrm=W<}!L9Pb{{xXJl%e-wb9Mh;um=hq!qcyFs9-=QsC_GN4AXZW^m7OC?Wp
zx~`_i%G|R4q?l)1K96fj*~1|6EOFbS`8Y_NO>CTxVmeCveo7p16GwKtwl;$#O>tem
zjH9)$42rI?l5*ZlrhULlmSs7Kd8Vp1E^U}NgXA)*Peyx|UFv4~8jDNPBD}U%SXJCE
zPGuG$BU42C2jL3LW>Quzi|dz2$ZjigOcKLZl$xd8nwBHV@8t`oN^Vl&$cl>Ig)!ly
z%{P8TJd+tC&HVd3GpOSgW#zc4E@G2yX`_=K<sEm@l@;?>IdJv)d4|n+so&wJ!fy$s
z?t2}9uy3f#n}jE3-3)h`VrU7RN~r`LU2s0FwawQiyLx97HB2CHgtLp+C}wR<F&}<w
z==|Kqwnmt(Yf-W?g1TyxHW0F=vl)Dv@BRg>*^$Y+MS<9};qJcI%}Cbs;~UH-3zlhv
zFxB_NXP!z19oy{v(ebU}v`*U9tu3FTio&_kQp?0L>x0SgM;MM|rQNyJz7@NLJCfRb
zOEcPmh4~8!>R9vQi=$?ZTD)>pqUDnf2`v(6%Jw}3H>sNgqD+gUC(*-Z67D3rxOg~q
zjAj9jWR=ZTVfVLH?Z@$6SocI(-e!27hOmfumFdm$>`E>Rq~ph@jPo1P!Xq2}qKP7R
zY_A$gjUZklHo5^i+8mDXiPQXpH$7f!o=IazkFUaWWTky@rWE*f-Iptfx!_%is5Cg|
zH{rrZ@Y~8yL`KI!?u&BTBF5Y)LqZY5NQ#eJth(<*Nl5lUZLq5@PO@lgLAQ%pRpZ$<
zuu~2~LK!5meFN4PK@v;!Y>RBmoohuzj#J4nYXP5=YNfM;T#~x2$y}G6f+uF2hA8{F
zoYOXMEMU`Qw=D;GdZ;3Z9j)gZ+Y}P;6~`>@wMmr8)DG~Ycrz77O50w+d<Soj3Q|q9
zjnzMU#+&1_jK~~it*oD(RGII7#dWYRw-t1_!tL#Y6i?Uk>^ms->QI+@6!`vi-eMfW
z)LhKEvC~^eEO~i#N=speJ;^o@&f38{ROJwNqMrHuxuLhf;gFmXeOEbnN&V%7;$*rv
zJe;;sO`c<<^~<^xm#UIGY%t%q1(c^2Fvo1ygoHtB57fi2GMHP5AsObR*sM&v_6h05
zt0(m-a5ELhXhu&6y}Sa>t59Buul7*S)ECX4vtx9<Li^YpARjoiw#t%sn+F#b<+l^q
z(EA)H9#szn)A?Jzecqt^h-`GLSDq^eKLu6L$^Qhs0U!IuUoMAU9gr|HHjy8V6_u^%
zHRMhq|L|}W7OUF1<>2!Cs=PLf`-P`Nse@$PXzc1pAob<kZ;mB+n^a=1$}@gVN0sVc
z0Iy?iH<P1zeBfU2JqU+U9exWl;K^hoOu;d-4aZ#$cOeAYEZWvo$oBrQL%O-x)qf>!
z1~XSNl{IN3nxov@Ay-RRERj`9XA!3ayfsM*<Z`We8d{bpy$yrUZWj|Y<ZAqw`K+YW
z-T{<aNp&chGppc7jm?SqhS)cf@*hfe2D)TJGYZ;-cX~YJp=3L{OK?M*kdJJW0}^p$
zwi+YPKyIfHJVCCBE?Sh&V0JD|mNhHT@3i}4Ba@~(%&4o(imiV5Q4TYE3jQnQ%i0N+
zkDD=<geOy?_wakoR<wulj#hzea#`-=``XUR&d=vFNrPnk?^Ik;3GeKK&<RLvm%*Pq
zq7!hRPDW3tmxpv(56=#&mfmjxc1BG2B(s94^<U84vFaHr_fa3msPG?U*B>0I?&T;c
zUVzsvetwc6qw<Z{&G#A1_E3h(XJGzXC_iUX6T$UBe5+RNZD?Oj!*yZKis}%4`f{%=
zxUz|-Cx7zg3+T@<KdQO#!68t8RZ3;0$>*T~x(j`=*_0JrqWkSES5G1j-7uVl<=R@)
z1A4?%EOSauX-F6th)J+ra^mS3(Y;;R?3~C!*%`24ib6WyonlCfwF?xHU2!*3@@cfA
zP+w_PDGzWeDTM)LxY}@O)eJ+wu|iITlL~HAw?`#wBhi3418BMOhOV2q;I#c0ia;Ic
zXxR^)Yz({!DH(%jc6|u$(-4-+1B}$==GZWsVH+|SICXU>`8>fgE+z#-U?@qZh7Ek9
zW)IRfQaq4#oc@oZ#JRh*_>J(72<eU_pPF~HDs&!Q9j)K8``U>D-{Tp>-mlJ?DHj=>
zQmE1<Xsm_b2HQ5Px7NNWE1!MIlDsdmaP@bMZsng3qRKm(XCKamy=s++S+Iu3A_`y(
zqS3xcf6l#%ILNUxF7YJy1;Csx*J>ps;r&#z{63U-5{ZK_NAq(<;O8jeCL&QU))WmR
ztSdiiANr@83+$~;(Dsa%QQYM#4|gWVQl{@3N~)@4E!&|+VT5g?_EbZlZ_qRLmwPIP
zX-5{>Qb{DrDs<V$@#sVK(%UncIgt*zHVknlw>N&VRXJ;M4OOuKRE<7f#IziY{MEt1
z;cAv{UM<8lY-@Kea&BSuycF6d^JNNQoW}BDELVwjZems`)_Hv;P%QM!2N%nPmxo@j
zP~k_d9>8V*^1HJ$6Ddk*>PnvD0q!)=HPGqfalT<s_!8-44}bAd{5N`KVPW|bh5WVi
z<o`e+Dr$<KmBgu(%&m<bWsF__2uCFMk@O!t<imgR4@CNBtfK!Gz3A6B@PD|>GJZH<
z{)t8yS?HmDmG$S3>4UBP`u|G#$o*sc*P8Kz+<wGp{h)&X{{MaM#}QC}JL-1|+aFPu
z=m~zWf2IGe>|ZIYA5mC;A4&faorsNqg@yHx)Q?=KUq^5-|DsI){$u_~{ndtlUjHif
zcf0;<>8~xek5>K8`L+IA3z*nB{<xywIlpTAz5Va?{nP%x-K&4f`HxoqkG%g&C4IE{
z?<M{2H|>AIq<@&nZ&dLoko#*k^IwebKVnk-A~dY*AB5%?S^FC)rf2<##rxNUhMnUB
z?*6LuSBxqe#$RaoAKtuBtRH;m@1&UH1KRx^6@NsH`V$p1Gk=7r`UR8434WoPe}Efi
z`hSPUQ2zvtKZx?bLgPOYe&3D1gPV_P{&<l7w#z`k#Kyw*QN{lPH?wW-UP^PXd|u<t
z_v0NasYB8xj0ve+snQJ+j0r|ajD)e+@dOC5<eEUD-O=IkK?OF6O+-0J$t7ygY7w3z
z2x!0>UsSB?3#R8amThSk6)a2Z>I!`7<43P~T?0m3-Ln?1pI&d%(`)JOsk2`*(r;g}
zRS=*t34r92wcGQP%{mdhJdSIkj=x%ItO<p^u~B)dYG;1-wEZOfv(sYCnX1-&mzvOf
z_y|=h$#iCiySrs>aInxENq_UGbU`=$GdMDYY?*qiRhw2b>LFF7j>GB0^N?+vN`<<^
zZMfB|C%%B%TC2<I(`8-c#rWDA>h`TU8Q~qPq*IUym63Orc)V|{=oQU3vdF<tGJA$Q
zo#=d@kfz(T47kSk$~2o6*B<BsCvxha@9?j5_u}vmD%-bfZ}VJ-d-a5-AKdrNir{1F
z<3Jf7tzJ824d`{<X^u!^Vw=0gz=LY!6l*ovKYIl6C9HPi4@t1c4GzX3S_T}8a08PW
ziw51p)zvGP_COeZ)nHdr(C`jIhuH-!>7;8L$Rg?c6cm{tgx9HZ)tXD8*iY<yyEN!u
z6MmF1M!M;`V{0e<kZBj6Xrzft{=JNM*-8WqwL|74F&<%wxJ_!>F0#1W77hhX`J9*Z
z1!UJ2qB3Duqjn**EZV~9L1>d>>l5K-m7Q7J&Lm)ZUK(>H@>w@jWEUTxE7TcvhWI>`
zZ0wjF*T&tCFTHSlAn2j#V~#<lL8kQM?Pj*2_@SE6jleR!NW4)mrA>6)6j~BclXo(k
zK3k$q+D)?1oq_c5hqlCgVHfiG?oFQDub+e3UN$dZGQ~Y(eayJM5FUN<@%ht2*D+*m
zQCQ7R=VL-WgPeta#IE27Hv=X6AtSWnS3g%f-4ly!C~l(ZN3jOHLX=Kz&n+ReHkgy+
zOx>By_-pCj;!%GD1b-zhTluvReH)KLKUzsCS0r2s<7E5TD|RGSAt5a5d7jtrf$+kV
z@kg#YJFYt8=7aSGIRnYyw+ZHhXbde1s?^7oVkjx^{whR52(VlNOi|x*=&nzaq=Bk}
zcd@H_{y=2RY|pRd-erajf7*5iRelx@EDAlLZBIbQhy86{d5l#bvl%ct4(B1*PNGSL
zU0#h<2?HJ%m6lW$JIn&w+9W-AY|BJKx=vxAAvetl09dG(LMc{Mi5!;3CLh@&vb`TL
zj{qChu)7$GD{@*xzqU#UK~PZ349NsK0@R$Hi80@{SRh9y-?A8!`JAC>jCc>(grXdK
zDswV(I&)4UoHkd{8Mg&byV8cAt#~<)3GN8&wrpU<5|19bMxB9dw4}L*I{3y(_S(8z
zK{}x;dDCMPY*V=G(qM<Gd)F?a8atxeDw#ODi%fjTjtqe>SWa*_+QVhGmUtmri^~Dh
zOJ^GJgG@jVNI7RGYnk;NXYZ2O^^w=-l40u~41{>~ZkP}liwuV+qSnh)U1Q|J==vY~
zA=kAjh5=e^=#ooCCf^gxBI@{{MVp_xr9zQaT_447#VMrG7I;b?>QN|Tr>B+90lCQ(
zIocc9JJ}CywQv0#{CV&*zTUHMDQ;<MiKO;E{BvBPnWDsu4g=m7v2Bveb^~&x@DNEs
z&puqH`!R0T>#@|WtyD`>n=A_Hu6bOHaFUYxDuUr2A)$`8BgnhGFIM=4wHR+UO$l~D
zkUwI2SbmfTBQNnj5Z-C;_@Fnhlhkga^+=dqYS%UP?C-Wk?w^Mw)GbQ%E~*ayfLW>)
zf@P^qH}%`04OxaI%Q-ildQ&fVVQr8dk?r9t*qsQOI6n8^&hxsvW(9&+5#)t?AZ#LS
z>a%ONLvmMC1K6wbyNBTeS%7YYmq9_>QYWC+TkpH3_EaHPEmuB6xOD3>%YX}9p=N^C
z>ypf#eF<guE!|@?_sO+L*MD^jx$VQ8Up7^XK-4G6$Ampwc&W0mX~45;7`JIiV%40|
zq=iJLa<uG-e!dYJ>r}fQnailUovFIb)<0hFnYRrt_trnor?*81IMYy%-b-(m#h-k^
zOw-Lz6PjNToChU54vMW`l5~}i^p~D`$=Q2umVLLMT(cnS-#_FNr+Ug0iYmy}7p?O%
z3BgJi>T$9vz9a(qNNh!T@hraVn1sGjEU9LGx|G{Il&ek8%9|0XVt<;ryf}B_bO$@E
zg-|8*%3z)*?>>iNS?fLK3%P?QezjK6+c?D|!PR(Pb!tg^FTZq&f%!_;r`gG&<b%8R
zL{CxFb{8nLTNLNHF88Pcau4^lQlQF^d>GtqSI$tqcu7DtPO$%&mRP=DjM4EWYG(2p
zE1zzd)drh#zg*)HI>dZLF8?F&H~ua(vmj^PLU0Jt&rjD9!q{4V!gT`A5=zk4vlXyw
zl2CP%^eD}c?FVq8vY~Iam+rjwS9BKmKT)50pi|bpKKaTP!Sf(LEg^Pj3FWelgqq*j
z9Tdgw3ss`Q%{&U_#$D+HLq&guXYwGg!;i=i)fR;hz57}T<<0i(>seF|ie`IjHPOx3
zVE5!W`Ls}O`mpXs4}q#-|F!&zGA{>n?PcoZ>;b(<_0O>6?}c(g`Fx3jF0b^NJ{zfW
z%A54~l0e?vj_gVyY-l2NxufZJiE~Iit2s%>3&+Vv`^R)sva<^ZR5#(gy7-g(7#Uzo
zdQ56CA5)#=Fol7c5QJoGj#9An_toQMlGY#cH&7tfH^EGc`}?Ia4;1?Yx=z#PX4X%n
z3eJqXO!K-*dI*+zt7SJcYvWtWVsoN7pB3Gl(dJK|MC(iLxxmf9Otg$;yEHiA5hnKA
zwvJ5nVB5BqmPRxbi6zC|6-Yj9bEJeG#s`~IF!o7tW2d)$9v_OHot=OGaXiK7sbQ%5
z(xxknc)eGIZ<ali>ciPdr9DQR`ciRsBjT7i!WmP=+t5({K_+(vRQC}*c#bVw6ZdD1
zHCuTrMWNK_O5#NEE-b*s0YCN*0Ly<$m$Uhq3uqp{0lBqJk2rBwf?T+(m)1#^f?%9)
zdplnM%&EnqSa_q>5LAM>4Z4`TJD8#go@$u7Ku>W(Ur0XZ$+uPF=&0_$LCPyF;%DZd
z@?DGA3sdn5wn9|e1qquc-{F<ClP!x#G{EKPwZSpvjH@PHzB5-F48O<V9r%-UYIl@b
zi{zJ+O*a5lkhObnTiAN&egAf%`=+UrlOOyot6)Us+HNTP#+H~$V`hZ7eE5w-qxD^(
zEfSsXOWhgS$j?2OGu^@pGhB^twB`}i=BJz&4|_>>m2H;C`{x!*FMMs5Oy_06oyYd&
ztG@24Ty#Deou!$-mSg){`%~@HWSQJk+{|ZKBS}?g*4R++lqC?agUis?Lbsi@AuI=J
z7|+f#K1!r28pkp!>o3w0nw#uvO3bRv*F<_`bTx#_ygECtPrX&|<lYW#;-U@29}eJQ
zji=%B6YulonvGelu-FC{3$`1<VF2bmjz4D<>C_ifZKT;63g)urX@^~{dmbta6u-u>
zbSw?dv)b6KOf|LI>*m$z3!&F!4nVC@>qS7%qgl}|%2&1O>H0^bYt6f>S+8hcGy>@Z
z=X|LcsEq1_suT_5%hKuu3{-E7-XJ;NsHu#w4y$)!MUOR(b)ool4Yd^z(KXjK=ASSK
zzwr)q25<KsggiuZaUS>)ixFS~kuoTp^&GYQB})6?65<kS4jid|?zRUaxokAV5zVBh
zA);2_(6JtUSLicKp$Qj=tz>k!FYp<gov;5hTgE3P=sAsj45oMIa^hnHlv0scwTX7;
z>RaXzh~1HPA8qOoDDEhj{HlhZS42E-#7?VV0R>$l1pFj4zPPp_t~sX<G3b6MQm#E?
zp9q@(>Zte#Q|~uqdc5gbi5+!X!iD=QMl+DKieFak#l#c2`CSqO9g<Yyl7}G3AGZ;l
zIR{^Nh^|PN#H@BWpA5@PK#=+qa?lAUU%!7!mNX)JWND7PN#KiDoJ?CDIxj|kt&7t!
zi~2sAz1f(+#V95>BCIiZKPcZ4GVZUP8!T<OtM-L_DGrmcIscO*_cfftI+1UFaO$fO
zmccnPc>eX+4qow;YCId`ill;gQasr~)XhX}xyPUj1BK0qmI!IQ&`xq4ZngRj=OOMk
zp*Z+`?0^|9?oh_)%a=9?ofaUTRq3;?u+Tw>QWTAR9$`WeBc$dOYJo%8orPJEQV<r!
zjMVt0FDqn&d}@*Hqz4Sq7^yO739W;9YEg|t=3zi48d9Ai**~tCo>UKUBg-?b2o@3m
zBVX+6ypwQpmFvQH1$m89^eIw9YjBO|)_naka!%_aq9>Ds+7%4SC=wFvP2UoSVi~8u
zAfA!ZZQ|~m0XbiQ<?^f1f%V-g+#Y;R*>t#q;1KW$v44R(extjBr0KcFd*)ouP>*$I
zycUb>16az<(h@|AuQwuo#Cl|Pxi!9mdgOYI#FW4Oe5risacH%tQ)Z2r8c;nUddhL&
z$>m}m2D9ysUF#$VT3cL%J|lHV*%HXhA9`4MSeY6f{DbnHC_fk<x)b&I6UB^Q7PnRc
zcp^1HX*IC!fW>;mBd>%GNu?qi%{SDPsb#ZwhV(&=OYZ(PqfTTSWS6l0g5?33C~x*V
zbrWnW*>b;DnX<hZwct*9_<lLb%KYO4eEKT^7r83P8U#d(U=#g{Ns<-96}lJkhwqDY
zyu@#!X|yzPSyObFttKa?sduC0YS1<ZP(bk?V$C#w2X#oZ7O3sxz8P7YPi%44J2qV-
z?MCoBtNIR+Z8AO*Yb5yk;1IBeqpBOHs=!A!d9K?_64?cGQ>ur@H#|=azG{G3NGbzq
zYS8J!D%HyuD-$wRjZ5Hy{AysYo&XcHDFHsPlr-U(-?1i`&0BAR&IX>4UYTDNdSu75
zF=?<*v0hg(Fh{U8neVz5r3`(CM<=vGFU2H4zxRqa>Lqdk26|p{!-{iD>k#u1c24&{
z!4DUMgxya=<mBSC&I{886f<Owe@os-4K)SS4l{++mQ>wdk_JB*yFv4yYLD;{^2F<2
zxtlIJ(C40*%5(FPke$9i)IH$C@JoU8+asqku}|uj)?5^^Vr@m4plm>sr8_pot`?H5
z0zQH8)U<<?ms=(g%&t;=$hxSxNV@nw*z3SR%Nl;&r@Te8mA*C6>)Jb!A3IB0p5!7y
zcl^?lZ<BQ<xhmA+-2(5lf6M6&-aChVYkSBPLQXyp&u}iZI78=SznbopnMkZNA_GL%
zCRkY)Jl+$2xTvKcW!HG&XimaIMSjEPlx`Pnr@Y6YPx&mYCbeH{SjP_`0ZYHTBEfir
zd56a}@b;<YQ0s$e60Hek8(IdVfnfui9nlFlx<%XomH~DW!CE2X>Q{C<I7{t4=L`H4
zk(F#+oCqVzGN5%pQfm+92@~ZrR;@bCSCp2_j-#qNla*L7XeX=XGE2QkYKnM~53BMO
zZ1n(8+GfurM5`H559b9A=aLNEfjK2^zrhwRn3!=rq&M0k3nn{|Hu+&wkor}|uX?u$
zq0knRbh>XqJR&9CrRpPq(M7;nkQ{XVKFA|Sa~2dc;9~OyHt_-g@R?~}j=6OXX=lz{
zuM{3gJ0IH}P|@Nv*R)I5Ql213bK)m)wr2)&0Gk&?S+Zta)|NcKA6()AJi<1kFq6AE
z&$aw~nEq>`TeC10sS(xIV4W9LK$G2lZntDP@3wwNjWeC`mGYn|EP|54Iu1pPV8gS(
zPp!BU4%1Py#5+2xgoo%xtYaj?O8qW?!@g3q;1iF)YuVt?w>&vkG2y!y^+3Zbp=dFY
zpNT26mWN^}h|}r!hPtld?6Jttfm5j%dZ@bcOajO{WGV)^#Wkv2lTB=ftjHpmVoYcQ
zL%7JUKOLO+k0N|0*3746)eZk5F}b*KNVOsMF3=cgBTL)~$P=zW_XwSJuK$uyus_6l
zshX4d`D51M&Y-XLAV~|EIZRCa?G>cHeJ!7nMa9P!`>cFTN+zM<oa43P-HDLDk=Ah5
zf+gOA)~M3?-@(M@)S*|kYHJN4Vc1e!PO>}DCAc7elSyS$wNB&yZf_t|;v=YST~pXX
ziC9@i9`p5U5(>HqG%=_?3Cbw^!?o9%mTdIMVeBbuX`dA%)(xiwN{(c5qe$T$`Qf*$
zIyID3*7ATNVyW2b9Vtv6b5M1~P7Sj13l}N5o3Ck<78NgaEOS<$Z?DsoRInrrMVhD4
z<fjKTiHGU6-6Y7iT<b+!5^peRc%>rXE$pebHtDg*t=HztCDZQ6tq;FrtJ+!~o0pRp
zJ&zS8iH|@jif}C1G7?*eQfFcxuF5)+DbjR1EMwg<8B`gBAGV2GYW_qQP;?>|UQVKx
zb=8_)nm>XMZKWKZsWVnLGEcMn&QYjLNb}Qjx+SSj$1}=71gn;C`RnU0@$wl?($I8P
zim|)VWBdr`OgGZaRFX^Y#oD~n*=<p~?x!h^oogCh+FR&l0z%5Rs|IV$#G5QB&d%9+
z{5>8g=iC_P2$|C*R#dtU<mcJ(xkl#J@=~VHwms0f`oi@b#-_>2zTbFMDa{RyB#mwx
zs649}+?S_!rjNUY+})4jMk(SK3a!$YF(Hf6U*alA%KcwCjFt-)a4)`xpO=!L?miof
zxv1YSpKK#W+>XSds$E&7qRo_Ct34NFS5oa7MoNcH$EqYzU`UvPIF{_Mg?rRktMeq`
zchZKd9PTd0P)+wIWm!7_Ul~is6&4iZ$Tz%3=)Du0@;+IN$6w-TE4`s_2IENbg4Z#p
ztgufO7*;!}V}c`iL%X0DW|S3JQVp}g)jH*?svz)te!^8-Ceenqr}kkVZFGIEl1w6s
z!)wZCN>>?Fct?=mo~%)Wr^9TP+sYb{0;5gzT5BT%V&{dxlL_OpCVzUFp!L+UF2$an
zz5aNECDL5uC7XuBl{R0VXM(Feb?l5EPPzu|Yst0Z7OjP?-Y{oKn-?h(1Mo-|Ocerq
z%RiVEUq<Db@w31%{P{5n<^v|@2E!hDT?IgAGELhgzO0jmo34RU(U12l{dPcrvRyf2
z3yrhXq}x{M%?oyqS6>#a@r>Q_x{U~vZATfl-hR`snT8%)s?)ldS;py;yy&xE>L;|D
ztkVyvj1>j$8?4i@<O^+%ml}-NnW~t-4aQlE1<B+(YT9CxtGGOeGKn=l&nTXsbStUM
zfB|q2E8dA6;3l7Zyq7qlx#0O<N;MnW>?7or6_`q*>(b3LHadE>{Tw#z^&+d<Z9##x
zL&o$>8x1ZMe!&WIL|E%l5JrIHfL4WL1DEmF41Zx>S)GRe0)sB_iWLO9g)jb{Ia|2b
z*$CirXppIg<JJ|i(+)kAHh$C;qUc+UN)XeO4eM6IM%h6nVlMFJC+%={gvPG=+_9o!
zQ`D;=hs0fim`jg?h44xEP><BkZ{vtf$@HjUy%%w^PEN#vpbBQJVk7h1V1~T!UnYl~
zWA~eR4T3=QL`$LhsOpC4d|YV4>v7*X5I7+h6zE<Yy3~0l^V)h{36G`p@g6+<b}XMl
zfmW*kj1kQu<jvUnHU>f3>R^y$n@J@G2p3+~Z%VQ7tysQK86f9g+7QtxP+8|t9op>a
zWkcbIc~66w*WPq=NWX*kcqpzo%^K9$R4XqZ?^JRm?@_y~??`xhyNmjIz6Its)s%0j
z?X-%FZ!JiUC(}e}>s~H5@lGi_vtm}Xnsi@6`c~MM;P<v-!16!AUJ$dNY?r-8@=oaN
zcn(LyB1+(x(BYwkNlXxjl3!vvO*14KzME4pOqU+)_F^aS+2B~WsqrqbTh_%f6Vhgf
zs(yvw>W(Jo#zGi!7s24Dl-yz3=z`cVKU;)xAuhwDoz4-(v*X^>Yt(GuOgSXX3*-jj
z$wWxFl+Y9ijXnZ%*wY!;o%S}VtCsJ_9%s({9<U<W`n|QdDQs@oC_uBw@GN76z>tl%
z$>0J}<Mk4@l@@M)Y>~NvmD6#T$7xx!F50Am!t&MZ#9wuNt?~3rC_{*3q<#l$NTP-s
zWfEqg1dz^I7l9VSKoltqfu}g-0oY3B`r~<E&T55*Y{kG~(wB~gigERH>I$Q;@a2n_
zgNy0!?mcJf`nu0i(^oZjU+<&6Pm>L8Bd09CS>sQa>bx3zEN^>(EJX4M;S=!z%}&Ti
zw5q9|QQ`eaS>EQ_M2<{65Sg;Ei|>({GeE;WIg9n|qG<{>#~g<~i8viSyXFlL(BEw}
zjdIEU(VgK^SlpAEULvVy|D=V1B&vi$F?mb`DpEhxl4cRZCFVL-!kedK8_nrhg7x#b
zu<R$powWOpXt?B$`N*t_zo)g>T$a3Mz>Vetmm$x?`ZIrrN&ve`Ua(HealSxy_NPyE
z@gs(x=D7ix`(YK!4bsBmN~l{fWz!*l$#n53XHZea#T_b<mtCzzE|a*D!0~xO5S~6E
z1&g3$oVr-FK6k#Db&i&GdbQtM)TC|9VfVJJvg1uHa-y6PaZWTl6OzQfzPYBR`O$c+
zGP1Nym(VfobAL3{j>4RHK7OdmoIY`Au)*AL5Kce66@MFMnzZ<sd{EFN@ePz`kYa$0
zTb57qs~S$B<$d;!EstX~otdHHHrjW_1__@6O2j<5wxt~gSMXQ4mgn{Bf}%(42_So?
zX$!du@Hw2h<?YpNo?X;0s<$;!a>^;?OQ6SsOm@cbW=T1Huwi1856D^^%|KWmD*AUh
zdw%24!w^Z)z+g!F{8zFPS=CI|bZzHZ(v$Slz&jq7sk0HDVW>m%4czqywQcIhQS)e2
zjM6|`-|&~?QTL}xHR+zX4ja|F{<!VSotB>Z1od*@i!Q(|>P$oz79G}pk0TyZZ)Q49
zk(bT9Z0o~H_!_gsT~+M~A5Y&@q~0+ya@3S<rWC{23KiRV&#~`Xwt5QFrQO%|6L>dn
zlDAP$hfhT}oXYB-Xql;pwGY~dtJbR59>X3r8#1F!$0mO2B<oDP#@#P8civ?w@S^gK
zIk%d393;HhWDg{#pU+`Cj_El1OuNR}TAsm)oZm7erSI21IH~*?_=Ky3=Ni36q7ljf
zlP5n`%?yk2-CnI&o~9<Tu}94H`R+00yjU(Uxb+yoIBA2vU8){w_1v@-t#!VIwN-e5
zey)@jHDQ=Iyaa|^Fs4RKKm6SNi6W<8Qklh+K^ixG3C;zkzck^*cC^bYH;*2A>XIbe
zx#e=S&%t$lV6_(D6C-#6Q{Jj~)aN|!XJ;)XH=EEnJf;qFqx{xNDwj0k{063RrSPF8
zN^rKvv#Z>;k@+T(B-VBVV85x3Hyb$?3@?dDs7(z)i-bkWOkRa#5iJa<6kaWDRW<=P
zlgmd%1plwv3)Jh{D7Wp8W9{dpCfsj_MlDWb0pHz~u%4+UizY*}S`IH^y~T7qE$!w?
zZ1J(UH0f0Bm!C35!MnXqOj$DBgHjlaLZ~T-J1M8lBv`PQr4`3cLATOHH8eDIOGrKA
zZAoQG-e>a3Bz{`0;52t!9d;83i&5!Ta$|B}zQzo9qP%ceq}q_<7P{h*Q^XC?b9rwF
z2atvY?+^;a^UN|yyW$V48eSUlj@!Tw&QHhhA6mo<MV`PnX$SD=1^&d-BZJSUnPrp)
zkJDw4`vFFEr&I;CgRfDx9@z|E%U43mB60soES?&YI_o9lh;z??R(DJuD<9vhL*VCG
z#^G7do6~(Jm?_X}SmvQE=ZtrMYItB`omSDja(|!*X=^dn$9#yvn`UaW67rhzaT4m1
z+Xj6KSarl`tmt$Fq=p5w)rlcxk5c->$=Cx?55{bpp}5D#XJp>hDG{~_VEK4(-&-!&
zhsHp!+$~C26h`Cdx-VnT%Y2-B-Zb$w>30tb{ntDPcvo7e@$PmxD#oIc%Dw30(ZhM{
zsu?}+>(V_snl&=2Z?RR!b==-7N_yDxZ9Qu0**jMVSPn;9=SOWSC+N)K(r7!K?@GpE
z0$UJ47d=2)ExU~abib3}QPn4~mRg`IanaPuHD)p5qDIC?hojYg4MQvan2FC{8F219
z+s?r)SRlcXGn!gT`Ro(7H^{VK>X}M8(i|o%XQluW4cetUjyF^<ziNp|-W2WRYB#Sx
zWX}zsGM)AG<cN$Xf2GV4XsgVeV*A7$3C@w_tV=N>M9{%AV={J{f<5MoATM#u9UG?t
z-1v}!CZ!=!F<s2hQx~~9pQ_gmpQC7YqG&ssasmEe;?Vo(j!{;vTGz7JtX9tx{T2uQ
zrpK4elPP(O9CCFiw@x@RQhh8X%?@G(Q`L*`4HNTP8^^cIE$zoA4HfJxvQb5}ph_sK
z#0qFD{pG6$P(0);=Cdyu;fwaUU9?;ow2fp7vB10m>R?KtNMOK-U+uE^2oBo61+A=t
zqmZ0%LP>6+YEjN7zGYRdhxQ;O#7qzM%F=N%=dAZ^ro2Jh;pAH6lXVmE$I8NwSjnb@
zxRaI0%kT0qCU}F2>DRs1g3T7S3hWu%DZ3GHo5}<p5Wq=@1DnZt%NRFcP#Pj7MO+9c
zO%~7l{G53DntnKTVj=<_-UA7H0K?2P=k>K|zL|TG>UK|RRT}~GM!$WKP_5`WzLy@Z
z4WT~#yWMJ^VQFjeWqKn`(`~%-f_7&EW4tPkZFar>d&Q}0C%=gK-b`qO>nelS+@}8)
zq+<y%14qV6=VOR2tI`3c5`Z||#!H|eRt6usNAkw@0?t)==@FQ>r<ZgQQoD$A+Gz<k
zkbuKv`@q-=-6XkFK(=B)upfe(OkPtO1jLU3ABj(P-V`!D2(V3Va(K2`-9m(!Uy&)(
z#k4g<jdxLavswxLVWFQHvLMt8pL(W}aY~PLYC9FWs8u>gXs~HQ+tGL{GW0hMSWuMO
zW0g<(5kL|-J6H7JL%V_X315giD`O+5^oF!hfDOSkG5W~2ugu}vC|)ju--rEz-$i)y
z+_wWeUpk>Ix_!RN7S<@d-gmyY4)%w^sPjfK@vm?jti47u5zk2o380OV`4ij}A;5yE
zjYo8!OVDQEjemO48Dpv9m#e}C%JM=w>iZ6uH>+m~hGYxWe8TIq<;FcOAj#{vSBXF6
zc1LFW^J<uiQA@eI@(Gr;b(JzbpkGc*ZNH&)hg&Rb9sgqQxLc1#Xi5VQN8E|Do?hj9
zuu#F0RRMW=Ci<w!zQvM|4UHUrqP9foYUH@$9p>HltDB7zyJT;FZn`2Sw*v34ZJbT=
zcnFP)4NHxKni-mbu0b8<?}cqMmtz}<&xnuD?qUIa4V{GV<nK`%zKiQ|e09DAz6dX~
zZ(m-_-->=X<h8F(2nr0Nf7t;K1k4-TVe<fL_KER7d<APH9ysq{HA_b2z<@wu-@y^9
z40PxzwN7cT;8a5}Fs4uJOzujVK(|T3Q=kD`qHW^A3;baQvB8;SQI`k1Y^jLbLv63;
z5(^f(Bv$fS-Ws=|mi5P7ki#4+Y>T(MAD%6qm?N#KT>!*84uWr;eFRO!s%DGz*R@47
zaaabrxCuG;oz7>?ozIobN7$D|xzE9hI~b?nS)sR_uF<3j^Ph{;`7O;<IA;?<nUJ%v
zUiXbbk&~mx()UYKrPre-T@_XxMc=(7N_Nuj`My=Q^R%*~EQsZ~*nWg~tC_%S*+!zk
zLZ#~2jrjf*HTo^d5H(-(i=r01Sw)UZ>g(Ri@~-V*XJSFrReuJ}l~6_I*}`k(ekTcb
z8=R?(kKAPIVNx4cKv{1N^rJ)*KmL_wPuxlsosz--2Sh--zq47HuLRfo41vbkPD-4z
zQ*kDos#9_fXMT6sYGw1B(<5AfncP$hs;We2Z-i5BArj8jxm;{st_7ksd|ovd%8*5t
z**u+=smtS;x?KfJmTB0Fm4X_p`JlA@v5#Zj{j;>KIKwHfBbDNUHN=NNUeNBAqd7%E
zdtg4zbHmGbgyvJf%Qv5&|MMm1(m@}VysxIVrWzJ~E_{RihZPYTBLswEhy}zU6Nmzl
zn)!vEK=G^^R)X`$NiRM7(%6Ro*gXFOT0QpDvkTWnCxq7tYc?z8(QRWd{$lKpFTS-j
zK&Rp~&_`SIIgf+gfL)6f50RJDwPBS{Fs$;ah1HT;UwDaQd7UBTXW;^G$nOjn_(Faf
zju=CJM>yhiFkJ6~xXqW!XW&ca6M0i#fw9*xU^rzEG6tG3bQpRJ!eYaS;e<gjh`gFX
zTRg*X=97cGEh1xTK7X}giP8(Ycq%L;!X4qBurLxn5oSw%izUXQ%IEmvbocf3k1sVK
zy{VDsLCeA~3RUIv^~$c88%v}EF6MGkid{SUd}3~q*J=utClai!YEF^QYEoi}Xf#@-
zTraFy74|v3TKxR|TAZ&CEJir_nn_w%S{=T@_M(lgA#^j@z;3W@Ok7ucecdtBQLEu<
zLY-n;C6=p>&0{Or0Nbh#vYqMy>p|PmnxiehwEn8v>NHcqh9h#RdOO)ty^B0c_t<_`
zZ7@UEBuuh|j6rJ|Zc)UIO~%>AJIQOwUz2|%?MAcDoS?O=MxCN|v^`EAV|&%Z?64_4
z<v0$%PSCe-r1~NG5C?|;GM%;j!|L_ac#_HLL~<_ON$$5kQ2mXhah$1#<Mx7JW3a8&
zP234)OAw*h>+$)$I<KL$$X`6Mm~rAU`l{w}%H5|iq4;Q{Urp((dcQ6h@_WMt@sPhH
zT+rA&$=@i6qF=Iy{JG&sDC92=M<ym4{1d@-3vAXLpkOnBX#cu8H<8RqB$9+$lg(0F
zf;1<^1}ju8975^!wqDyY8?zPZMZMnR@jdHpoH((hq<B(8LuqNzv&G)rT%ArTW|E=t
zKGBv)#Ki%L_DWP5X7#E?wRTw9fR&~pbq=#n)$+JqLteXvr*;i_?FFHrhP**7GpNB|
za93;F3$&4h$r9>=kPy3=!`C=yeGGWx%9$owLTYN#BAlF#M|hY`fK7MDu~zt_aGcyi
zmO|j=;W(*<`2PjP9ZztP3P?`+`f)GH7_X^lj!&s*5xcv(V_eEI)p<SECX<qr!Y%Go
zhvk$i+fsBm^TCiUMUaC4sgWU>r$+W8;7Fj6kS;E&^>x#63e9y02w~%BQ1ic_3Gk$D
z0^tXU8nJQP7*`yZ({nd`Z^7sd4K=RXv2qPvDo0=Z5*kgZjF*SJIU8u{WPe$8i2kE|
z+Ul8}L+tFB{e~`GG+ONS7A5JMW9?sH7ci~B%P}oiR+o=0ajl{9qLN^4BpRijrl~o&
z=LxGU5uXFrDI~4>Wg=6BC{!(2fGY)GW80LS%2Ub_#X<{)>D_9LZF${1c3F^tE(zfR
z&ji0?Qh_Ptm%|Yyq`;)BLgn~Vz=5095hfUbc5B!$dqs_V{wFeTG@3L}F=?P;(m=(u
zE4-xp3py`rg#O$)O@#-pobKl29aM<+#~=;oLJ9wz4sp8eF4AR*kf#RvT%Gtpc>QPZ
z*UXQ)HNw4e%>qTXRNu1fk*}|&U(=5bM(dUJ!d0ATM`@XQ-T7zdgxoom8^-zLYOG2L
zNiwDm6?!=}jcNnkQb3)z6}=jHwL+L)_(TQshH@)c7Q!58j21<4Ylh+`M&S+g2DUD=
zPT5#+ZFC#mqC8ZATSU?4ie9M56uNcFt@O^qTZ<nq+)Ka19xvQiajfE<#NR416;|Bf
zp?S<%l9$M<YN%{TtSr1DZYqQH7ohHt-ySX?(Gouaqp*b|o{&Efj;O3WT3A@XD8w9E
z_$*VHzN~bwo^#t=K4`s+3miRqVNg?Si2vC@a+uzu+N(?Q^8*Z05=f%K$%Ve5&a61s
zHoKOD_l4Q)@SZRWACl{+TGv~5qE4tw8Z?AAXzO6m5Z+MWacjHi)-v7NF1mNsE;*v1
zI>c@4*Ep)n-ThD}W7?g+xKQzD+%raSrt1qi>I`%TAbEd0#xdRpG3x?$Q)em<ltaVq
zm}ZfwN_aV!uc!**8;y!cyoOc<;Z+ut*N{kILaDBy<bo;SrkiL#5ETyij{CNnNd-84
zb|@!R!f`$ah94h~o;@U|60#jAt_cVv2CXX=3x_E;&=zyVuK5aDbEvE4<^-Ld(*USD
znjwK352V$&LR4F$Sc7t)XlCu`^A`Y-{`H;XJ05$6dV995JwM46Fuwfi?pqp`vFjn#
zk8K<X0UYZ?>xDHu*7VedO~XZFH{9N7VfWJ~Z{EBcM>3QQWZn}c=n?g7f$DR9qa2si
z?aYi%HpCK~QN?D{+05u@7^YLz6Ls}<d4gYD>|N|zoVVDoldO`Bl#Miq>&@$}>unqD
zy}{m4Z@f3L)o{Cc3(hNUwQq?%DLz>vJFPX=q_sA`CO?^98>ewrAu2&7R9adAv2!wO
z5)-~eFcC_GCnYD<PP0xcn`@qLT_Dddogaf96Jq|FP_4giu6M3)ZeCaQWi^*2FRQ(*
zZs7!*U^bV!%>L4dS!tM9nrP^E_Pe$gKBRvrzBBP;e5B;1ve#lG4QCs2E;iKr@wtqD
zAAJ*&`({e%Q8FyFtJd0ws{;P~wIP2ncr>5qBz+I(lmXH#wj7Ja7PFMu#3G{>=pu9!
z=YS<uLZl?e$eyKYupkL_qKFm^(}*g^9mgE(q=PDseU6h30SdsD=R(g0V=}j0qC#kQ
zB|TR8x5`YVP^n&2t5&{=gg`2l%0%TzrC9j_ok~&=^}OT8t?pPK1k(O<+~n9l+MkMR
z#_=YY+Rt!C4?dq|UA8RG`sf_k)frGY8L@6E_aUA&e-$S5u96~ixv_?n+KXyvp$ncq
zfuyOzQbWv^@>sE4RzvN!(z2*CQbP=J9fx@UJuG0Fm%Ymh=m+d~bKbYiywbW#UKZoL
z59Z7mF79ZC28-EiPl*Y8ss@g;w=U|4R5BPhacJYgu?+w`QlMF;VeWL)1X&i$i;D`2
zvga0>5dwD4sI&Xo%U0hJoBZb&x3~Z8g^9_~5AuBZP)G7Q53SjB&xD5JvG3eB^VE0O
zTvwl)7dA;(jm5U?xqR~_lWW>Ht-SjFOCCOHl$wHZ`m=lQ>A7`b^~&<#57yr~_ugOB
z`a*FI`IEt~(wZFoceMeR>Da>jg~6-nRqU$#tAd7jxG6k4{E+mZ|4Hd_zn;<jAjqT~
zE&#`}ha-A#1d6w8H-v}Ti0U%Z7*TU=O-?(+@(x_*6CpyCsCfpXM(2zgNi%A6&RCG^
z3B`h(tlD@B5|o3BgL{Hv@F>1b@?<_z&0MbbX!Os6-VZ3t!N}x~W3h8s`6DC<0&A}2
z9SoW6Ni1*-hXPslrtJ(-&9!hBir&{m?okNcRDNB49UPCFo?Q_bc_1|W7dpgcZ)}T8
zeAHfKc7;~WJ?1Z(9Upxu0hQ&k#U;rZ`XX7HIrj40!iEW-o!b;Di$;@5zi6?!)?5a=
z7gp7rIVJ7Ks#ellj*tWl0cG)I0%JX(6l$S5*AqyV=o)l0b=TR&Xe3%(9jPvEi?kK*
zE!LM7r;1reV!inW`@_Y@ia#mRHQKVe3<OnQxS&kaWn5gKjrhD?@F^B8u^P)thckaa
z$X5-K_YZPrrA4@AQ_4kI*=RJVmXra9PKqIc4`PNh=Tt{d4%8Qmrq1XzRR+0-v&s%1
zvD(^HD<^1gVoxHSIF%3+Aw}CvMcYh8+f1dv>D=t1YhBc(@h%r^BW#{4$lvVp#m{~F
zf&|jtjnf-#llXZ8bWQxg4lZQ!lTJ-c<@r^K_DinYKfwT|R1_{TIk?rD>Fm+sXrWE1
zAhM&#Qd&XHrm!5XASGsad~Z3TqA@JhFq`7)T^~nT3Q1;MpVDc3rwE#9R#qI(*6?p!
zUlo2vPt|n9+?SmB$?x7zC~Z(tXC&tq`toP)Sbf{iXF>Flilfn%P~Yfpe)8U<58vGN
zFXr5IaWq<6*gv{|_D}j}tUvS)i$V$l95^%YN#Enx#heFCc3p^NZBz$6G$>n#h2KAC
z3o(x#0;^_uYLZ7!oEV{TZeX%F<uLUa%&Dh5RFfvWS<_KXZPs*D9@j$k7A2DWr}MMW
z*|2al_lWoTyma_ez4Vmt*}NB|!@47S>1kZaeM<kd`w5TqP5q#K(D|@uFf3i+UY@&N
zyv{TbmKJ&z<aUHt=&sO9i}YQFMW)MbU2aJYci{W$1=1Xyq=b`Vy?ZK|Zj++AQhkY`
z#9iW%NLUFcpz59oOXEsffY`!{$&=?P^9UZjl~2)c10UBLLN>0SHFZNnd-YYWc4*p}
zU(F#B^%IyC{C1lGl|#8fe`q+fMRj=eI>n&ZLmI+So?FuCH~{15nIG(h>=3gEgnZ*?
zxit4r36JU-^qlpGo(~dk)!pGvyU)5M#ogoX#rd)59%dgNR>BX2xy1>@quY0``*b()
zauu8tb$;H-c?UwT7Wv<eOj%QM_vb$jrUW+Gey;TxO<vgSRcA_srURwNU~r`%HokM%
zl`@sMc<wv<?WrsW0lDJVXE&_QdK#ge2o(cHA#CU5QmQFE$dJA_Em~VTRvaA@i)G*R
z$*k=1`bu1&SK|$Bl0}*swT7!!eD-zmo`pG~2y9Zu%EIa^&;L<ytgpzgHG?Q{O61SH
zr{4q!ObNj(>>W1J`qH8t2cS>2J5#v)955#QqS?vJuz$h;nwx^s2tfQC6n#c$(D;zf
zs5hAsx|H5&^SV+NI6tRo24fQ801pEQ)ejJ<GuFmu7`wzy;}b?*kuGK^H<wsSTqSv>
z{<4zdsybaNFPXSV*Q#$fPxH^!b?Q3}U8YV;XI^JwZq*gK<@z<|)p@J^SJiA3H|jR(
zH=3?B-(a~R?^^$+z_rST_-*2yhHZg6;&&vrR^6-LX}-^OpLb{8L;m|qz7fAa@ucBt
z<J0D+^PcoS6?i)TiTDBi0mE~q;k<*1A0|FEd}=<Q|EV%#b$mr)b=6j*SnppGTpPNk
zLR_I=VOVVx+Kn?q(@NUoVwZnG{E~#wq3<v(G~<8>hGVli;E9(7N<&rpl=*^bBA+-X
zHuw|9fM|APSJv+|=*`q@NEJId*aPmlX@dX81(sCGua+AF0RvRF0OYP<(15!~e&Wi@
z@w-amrT!A9#o>1r2VvSsRn_}b!<pU#ezQp#&a72)5(d3uF`EngsO`@S1cFABiDQS`
zA3#PRo^LP|B;qhy#H)0A93j501`<_BR=J$TB_*)T6MT(@uOjuviMw=rtFUK7YAu41
zp$08biz*VyMAbmmV3jbtYH?LhRj-yfRdu$?Q1yY~PsU5l{zG}@qf8-ru=Sc%ONZrz
zMX)^4Fmae&c_52u{LIEDpZ3b5=QJfHHp*ErM>wnq53-oI#kMJnd0#{f<2f8D@onRO
zxAp$_9KCF7G~m(8jT}cWASmcRw<-YVID+Ps;B2rd$UP+iFXVNao3sjCDe0naoIGpj
zIF6BA|IG?))K!eLAno~5<~W{4YW16Hrv!6iW4D)#{dnwn;n>v`mYlYU^kZ*reK|G1
zSE4|RbNPI(QYIJHCo8B(S$V#vXc92EC>go+v*(3n=f5Sc{CaK??0JcT$k#{pY)k*5
z>LQobX@DUjQChQkG{io<F_BwhumP(XnVva=|KP9>cgH6Q)3bQ3DovXGvq|N=-0jy_
zMh#{&*RnYqjuH$0JHlDj>~ykuH6C6C>ECJM0wU*BH)q*3THTtIUJLaVm0SQ&jA&9>
zLxN&yc_L|1jp)>(=I3+Yfg;Or<}EeIE8&=QvzL0cT(4HcD@TL+#&Qu?W17xjH@k7X
z!l~x*_$WUldMkFE#*yGzv5}E?W3gA{w~lk8s9#-c4s5Go&N+3|sf1DkO-~vRn*?Xf
zxruD5xt(k`Z?DzmJ3S3@(?FAG49t{f>e`gHf|(6!)7E^0$);CG!F1Ygnr@z6+diSC
zVfv&6=2hm~jJKL@HQVQUZt<{C)8Z!9W2hm?#>&!)<nus43$bKI4jWUJ5_1aE8d38a
zYGpt-;~?H+5fm-hXb~-qUeI&3)SQ~_UF==!72@8_UgrIJNTz(oiAJ@NVcNa?P`{!U
z>ozP*RUM+aa-@P*^h8OG)nZ8|vGC`y1G;%N&+{+Cp-1D5u#rVW(Shh-R8*s9qii5b
zqcX1)eV(=8%9<O98cN|-)G9UTkEg2isx76!CNZEFWIa8rrybz9Et6ZW(S$DOO#QK0
z(1Bu*yO4-MMjl5$oGs!M`rPR0Zuv}K(;03xj5$)gPAnGBvh*RrLUDo$MT=kPNNIZ1
zMYR(H5y>^7zOJ6(eB5MUIQUlzn6B2GQivnp6(CNRJ!B2gg2+TE6(IG7q(W<xW@kVS
zP+I}K23=!-D@7OxkaJvSD=XvI3ur%uT@k7j^r+6ECMQSC?ik@5_Fxre3Wz)f!yyk2
z+fox0%$*w+Ej&1-n$0P%g6leP;6-QEJTrK&IW+;!RANGCLTE&2ykK+WfT#VsFwZCm
zfOgwz0<N57Z!GBCxm;7bpp)UOnBOhpMlxK%(@Yp>!%vrLs@X+%71m8!d_%DG#~&@2
z(-bXY@uFxvz5Du$CkC9RT)S*>H}<ZqYM>96&u*PxKl9eB9lo2dY^iF!c7Ea3l?4Um
z4VBf&iur@3p((N3#$LZ=VvgS0SpPuleYCsLSKgDFhO>Q^`7Co9w;k@rNmC*Hc^32c
z2l4+;&fy3IqQ8`5Azl;5crO6>eeIY6k@E+6mKNc7j>tLH%IjM!-dz0i45N#S1CAWk
zh-x`*;*T25;Vy`!{O)1XyRodQt>Njru@U(-AT5N{ak;MuT?ps`?RXpBHYiC&IK>7T
z(arNR4!wLhpI{U^{_?**$FnS!qA0)$y#nz^c<lK2`;K!)$)(`y<RbbV-C^A!{a-?&
zRMcYau2YIO2ph%Qg)QRa!ZQZ_MS9v`$SJlqyMj5b-dqb2{T>3*`SX!fg``1=^+*HK
zK1q;1wBWyHcnd8S8P@k+>!4K}fS0!7DwJ$htO-O%tS78`E3p5$##(Dn^yT)f_5#G<
zdJ0FL(e8d&P_Z)oO^)1@cKb|2jS`<CnDs@95L9TM$r~U(uh|kXAQckB3iX-&IFZ)*
zabX1@#{pl{Rd8t5$6>si_CqSH)2=LPa99i_r3ea2F)p+@IM8VpZs?|T;%yJ#_499U
zf2L#ae7oWel-a1OqUP$<qHld`d2MY8`}oM;e|GL00}Tzrp+~0W$&udClF{E**Zk;M
z`uqMI$b?e?Lo>iV!t`H529aLiA1v=H2Zb6B(0QVEqrNBH3)3Z*<Pc{Z;e1g1gD&We
zh`e!_bCmol{Bx8uAm6d>rdQ5@rh~-ubMpO8?VNI5Sw)gW`0nLe7f3ANnk&wMW-(Xa
z>F*5aS4kVC0WuIi=zmo?p`0Rrl#CPbrQdw-yuji}kGChV(c2%`=DgcA=os`q4ioRb
z$N_w>_(S~<eSbEb4*W$qN4+{W!@0n@J+xgJh@6e+9SVH`ABZS$ArK7QqvixS0l4T1
z4}=*B%g|o<L0xZn5N6qQn4j033ZD&I!z=So!ua<?Pt>T#^xlC*lLu<OGlfZ-!#@dG
z=xoal3$w&!%|hRUk1hvE8lR({B1UeqXXNR1dAH=Tjy$?MkLC?i-0(Q7!#A6<E_=CF
z(zO({9AWol4P5<wv(9w)_l@>-pYGGZDi*^fmp+_<_w}E4j-!}qPX4m|b@{@5`Jl&r
zUBHd{`g(lD$}hIiegcxs2_%udTqZvYl|z!{3x_PAjGrH}P_B6NQLY8!N*2jpkJSuO
zICcbNX@m^4O_&jV=axr4p!DFD?^Tsg3_8q_$mHddE_rn8(u*e~>1Bt0Ky@eIp|%~f
zisD7?jiKO-rH_8+vzE&1F#FcbY1mTlh6$*GwU5JAQCvHrE!BBB9nxuMuH(Q)lzfjy
zusmjr6b1<nPl{%cP_){}{Y1@L8@!xkDS@N7#*xn%HB$K@CnsI9OEubHZO9?egY@O)
z92~QhD-P<V0VHV5yO1wNG~k4cae;hY>O?D|m<5414fN(yHNPjH<%i7Z#_Z8(m`CIU
z3nR?op@PF;_>5CCMTu9IYIU^9;ag8#yi%iT$75OI78^MZHIWadyZd<48LnTw%c&=<
z^-!NKx+odvlExHV5$TEFDBdV-69?k^;v;dr8Xt%=68Dt3WAmhWhPkl^^!TurD)9-X
zi%j!P4~b8d?TPD0;%8$_QHT;g3TTJnNo{LXW-FH~D@|*Z>y_PPxAL_9i2k)QbCJPS
zY-x4|U9Il?Vo!4*nBN*gGqYIk)>bW4PRq+ff;mLYVGBNKTctYPJ)Qy2K93NBhRr-5
zmUiecR{R&aBoCjvs8-if*|K@ux-;v{Xn!~E!Sf$PeSZ6plSf&jk0cvtWHPTPCK`&P
zMTSy^#6)-{`lv$7q;icgat)c^BLIMF@QwQfeXtRAfje`CTbp#^(jl1h1<IIZ$GK9Z
z*1-*|<1oyA*fKEVfm5IS;JVqMka;mHbyV2H9)E>->};j3aap{xZBcs7qE%BTefH|B
z^rBf$eM=*hpS}C&MFB^o?{)f4Yj0}y>L0!FD?s#2(91cv!<9qwg-zoSU1IQn-&yPc
zL1NPan?^8g?u1Hk=$Ak{Tu;JBq?r+oR`Q7Ia5zw(nEg?Qp5Q16SL0C3JK>Q-oTlQ_
zgUs7n3q;;{j$?yZWi|tVIC%wq<rm-(c6V!F4R#zqKJo=K&UX)xJs?NIh4Vvg5ZN~x
zv}3G74#G12Pfl8oPat|AIPSsu^}XV^#UWAPuhL^`921K;eCOnZf|w_dVzvN#K3fDf
z56`mMLcy=H@E9&nVXWP+ba%(9wXtHP9NclPve?`0>mfZkZwr!72|!E>q&#XM1&hy!
zYHFF0G=w;d;7Q!9O={V5$|{q7ozK|my4<rEcdQrX>2a4+r^lUf$vs`SmEEb^V%a9&
zmj4)g#(T*17W=jRH}X05Pr>Ev(f1g7F}tnCm-IifpVfoY>8-ai!N~DM2RxZkXPn9|
zGR_XoWpj;7@vZk(*H+(7*LRHHF%26I8Pld8vOlp?mUE^Y!wEgUPB@`weLUoA$B+Ng
zP!~6eIV9n6^BK6DDd%GMX7_IQNm!lS{$Gd`J9q*N1i=SGSrd>t4F)2t@nwF>VL<;A
zgQvuwvU})S&t}gK*v-!6<P7l3CxZr-Fzhg#GzhXm#YL1}LmC%TbcUyGZjo%|aE1Q^
z=1kc5jVgiIWSe3W&f2JrkHm<zw6z3V#w8c10JBDMBLD(EzZifU!Z`QC9sxmtYyA$~
zc!R9H)(u%3>H)uf1=a%=0~2|DJwJ_a={$)4tjSnkm!=$`QC1>9LiBi>Ig+xd6)7tm
zEXpH8CEV=A15P7`{MnR0TQ;6DWmBeXnNdrrHe<?-Lqnh9NLk@D&72ELpZ~hLx?H;K
zxd`r6XdDc*z~hdFp_+pn=zc?&FW<88wu+GZjfeJr`1ivPzc#vsJ}Jq*Wp#6IVH1C{
ze*Lm*bGE)m>90Se`X4{t&{<fo-UNAQHf|7KFWpIE%rK7K(F%=URj6EAuF&*qKdj3(
z9W~fWsev;w>cm?AMa6%>WAkiIp2HCXzK*jeBY2X@P#6v3dvANGeVF=(oH~BL@XUxj
z(sUf>vRS4CmNX*2BEQBT2uzskI9ob`ZzXseT>AE_`K7u-^kgWd8X{61$3Uvd)!H!L
zQOz1QYWWz}Z#4PZW~(T_z=9xQ$42n_<KRI2(-OZrdAqXHy|YMY6<RIRe76a=S)_+W
z8n4(K9>hOI+-=xx+$HaFq$`ZF4s>d9+2R-r7;FcFhI<R>!JvLvFsPwOaCh(+E?YVZ
zqq#KJ0p&MQR_b)<40@9c03W889@qhecbI)VM9X5sR93AerPOJ6$oJaqw2%Yqfu5eE
z7B)0w!=|QeSXiZnswWUm4%#RO@x{1rGh#bo)7gCGNAU@Ze*B1#YpgM7xd2^Fw{1l5
ze)s8qZgU1R!u9H=QE0ZHni~IcMvHSiMNxNA)Kd~5#W{rm%|-;SbKz7QLeiIxgm6#L
z5vhgYy$-^;c3T*H2p|WD)4AO>Zu)p2I(g3MyQL*ld_zN>hx)GQY)A%kYi5K(MU`sc
zBVp#~;{yfdg@q-pOWDF{jay&b&{|O+tPNl7a#gK*d&)F`ADJ{ZRrn9c<P*ts(j`2o
z-t6>rJXo}|P9PQXBDS$?BR;V#(^cv&-L8mD6J{@3J7Ggn@1h;z4(XQMTfIAKw@tpK
zZAbg<v%iu14e!p`!{QO?VD3Th>&e&KM;4t}bZXJrMgBa+T_e}#)P)vFPZ(y@HTj80
zs0+{V6JN_0U)CF4t{kHQMh9n<+lQRsNQjIaz}F`{gaOIiv^%;ldMqm7Kez2V)EOIq
zvW2RumDhFd##M)7xF9^<Mhnp-jJm3Ka0Z>hzhjw!JI_rs$~o%H=*Xct!_=U<)*9$$
z10oJ|W2n{bY@sc~LX~Rq%`nA%w8J-mZ(Y96evaGuMqw6dM3G6S_u)T*l$YCQy(lEW
za)a<wWR{RnLpZZqo7j=qoe&aU&R-K2&h`?usY+pBE}hHgW(Bq)^2R|KZ`5*l6-3Ue
zCMytZF8);|#T|wb)svf-+)+Yjm-Lp5l$<CLOKiL*iq2`rY>50-b#mFXWP`FOu}EFC
z2Wu`Z;!Oi)OLCEI#{*O8RLzPrwMy|&yQkOlCW!rT<{zqqxAR!IVBpclh||vRtFE0*
zw5ci~bO@|Nz;|9U|JVTA;LA^HA$mo4PSfvs<T*Y^;fjTej?!yMn40!)#bHPGd<|Mf
z|0wXIyYEb_|Fj(I<JsT={ha#8`sCBNQUZmR->%n~!sz>)MKsB0_`O9)8T~S^kILW@
z2j2{z3^VWvoX0~b!_||6Z$?i>k<-t$S+2H&;(Y$~&jp*&_3aB9+6rp}`MF*S!$5Ua
zO;xf=&@~s$E~<={70r*%4bZ?u+}Cceou!Z|v`Hb8q^1DrsF)QXm&WEQwADK`K<5=N
z2+;Wp@*Di9?w?3zR?Sdo`;6K;m9;3K<CDe40KGVVNr22Ly+k2xxh?qClTT7JF@522
zi|`k}G9W(x;Yu54c72+$Ni|i<fYDmn$!$$%_dCZ=@h_atgYR%k0NYO_!f&fUhtkYI
z{Jti>f8ixut*T8znW~$hwW8U>e@%@qE`komuL6vxkglD(@c5ovdR~s%@O_<NkA1EF
zmA$POm50KKK<`f{b+5hhk<VVbt=;UX)h|xQQq(<Td26y`=F+yBu}|WOhUMQs_)Jam
z;rHmprT2B+@ro+xjJbIxNjI%`;BZb+D#xMdML{xJdoS%<cJG4fI<Gf6#ked~6^dNW
zwrsq9*Mcei*Y939<@`-GozX<$<jvEP9*@ZXowgOk>7UT%>e!BP-k4txrpM;VCWlF5
zgeGqxPkXhadYDB&(QpEhQ}|8|Q0cXCqk*@GbITCVC<-TQiz{dtpVh#ap!E^1@bW$?
zhBN;@$a4|-STk86lEpDZK2q(xd4<+r1%(!d|DgPP{I}rWlPFvXTro+4@!D%OJ63HS
zDR$(S<LCyTCB(TE3tac3j{ub8`k-cal3#hP8V3zrD}>Pk3L<C27j(nUB+yznuU7N%
z#^NM8<y|_8O&a?(X)M>Iv1QY^rAx~iw|#l*C(y7~GpuEYwVGkf=B#G<MFjuu6vPIR
z^UrZ6UQtm$VVrAgOnW?j9HZmMb5J8;9n(Ip;8yZ@y;@dls_%i^Y>(QD2I>dv#dQ5h
z{fT-ZrlTG8J@vgjORcAh!CM-{sUJSBET||A7SAX!l?LS*k#K3SXjrhRm66)w%I0LS
zwv{Tybwryb#43kFHu=1T#z7NJo2cE?Yuask(<I`=>H8|q+{1;Hp^A=*o{HWIaiC(b
zf~6}cI9A0-#fb{BqG!V6&<<f}hCs<BOGuzRyl@bN(|+79AOCuDoH^&@1tc7L_=^IP
zFMy-tJbgZA&*PRd%`l9UeeD3%!TB*qL(Z!`*=uCLHh#9xd9z-#)Vjm9FxFnkge{HE
zT6=Tz#l3!)&6H5bCcD*YlMrf6R9!j4otiq<Fe#GbwTJTDaT|3?caJW;zHR<x>eFK{
zEP$P@u&}sDzL>T?aCtmAdn|ByWvH;wWvZVqOv-AH{A8vPo*wvOCIxK#WabDd1S81j
zBBIl(fx9)VSu(=fHOR2bD;U8+G+K_xDGl%ud0RsyM1Fdh!@bc8oXS#sM1HT;;#hV8
z-QGT=VVlCuA-S`|Yr~tth6~mLhkNi*xhBbKT06%^U4hO8Y4B|j_2b?0yIEBd;ICo9
zai9cfW(<fxKgR^CqTxVT^Lal9+uLF6;F0F$Y((`<n4p`da#PnH9pf)0FfSD7U3_{U
zs{xKlMq^>bs^No`aj>^)_`qkD#Ro(_*6@MnX!zju7Dm2=16uSr#{TZ{rsDu7pamZ$
zP{B7?NP7x<3kM7L6rL@Vl){cergE>4GtTPjq!!jUWJ8>BYUxN+3)M<rUJ?l6no(da
z4LX4q#lB`G7;d%rEUrOJC54OO7QM@98pJ)e6z9Q1EwwyQ?M=19RThiYXD#%qu@nZ5
zQ=Gbn<e-;!cxjKf*E@)hq|bUK?@(muF%2E~u=%&*{5I#Ate6UQ3{%TmNyevysR7ip
zX5lY=>gD<zt~IdMR38r4rDYQ*mX$S5{JO8Id90<S(r?rU^ZuX4z6H9C^3Hd@(R=io
zkz`3TvZRsq7>y-Mwq@Co6Yv=FPD~8MNlcq2lu)41;-t$XKpJoF^4j(iZy&d%*{!)f
zr_1j4>=F{lqbV1|O}Xr8)8^bQ?9y}Ea(Yu5+Jt5~w3n9HxxfE6a+2=$o?Rz1^UY{9
z^J(V){hz=8|LZJ=Sj_bVeXy*%d+9=MUf<LLA#2Mf*v((6>T0+!1qxAs0t<j@ha4}q
zxqL<A%v<Ga8|I_nUBT|*Ya9VdX5+L5XFtQKks4OTX7PhYEz8=>o##&E+??IlIQOo_
ziQPl8+FTwDo6Do|4v$Hqv0%w$Pt|0mWSu1`p%tNL;YK)CJ`P@A5}Kg&$ROwS0DzZN
zyaaSGfB|qAC^MXgWa*zhE4jh{E9WY05ipNHBZ3V;4%#fAgg|BP70^6|n~`yeUGmO@
zqK<`I*_Ie_%MAa&;QNv^<DUua4}VqJANgu_wslC7T53z%CT~-=W$%*jR_@O37k$6V
zoXd*SzCR7U;&>(ew)l4Vobv04cSJ#j-|P~7q_r}<OS&iQt&82VUertV7W}xfr$e4#
zH^>`xXI|dSHizGme<QorD66wC`(Bp*kK{`D;&L{f&8`ry3A_DDI2zOf>2M~Lb>HZi
zfG>Sg-l%Mhy47$xoyp!PI@@mJ`XKlWe3VRfNJbOS=pm#VKL`Sr+^P`>;MQ%~#9cZ$
zJoLA?R6^rCABAZAo{z#>t+k{*3h}&nu!f}3Nw5ztka!6OJhBNn%tYjlMrAdtWz-r3
zjnO5EzKle2#>fvE_0eW#a5*Yw`lGU3(6cd}iFy{2y_bnG23V>t=-DW98e&+I<)kzu
z2#KTYthGKF_@3V{xk2x$nw0##f$4yFKEO@|-VBISfjRQXCla%WKWo_*Ye6sxg?e46
z$+ZK(m7c1(#%pZ4HiL2%+n2PCvilF^{u&`t<W3+99f2L_2G_~E5E30D{|Edei$cmy
zJ6)#IuZP?v!jYFzZkml2LJF$g5O6}WJ$`LiHD3eQAfGtl@l1kC?b@}I9QM1~00n?W
zcfxIdOpq~bV$e3TWz;jklD0s2<#0<RF5_?cX`{5l_6EF^_7FvzdlosvM68P>%V7)(
zX`GZc!2v}cPn2t<Bptyn1}K@r&VHj1=9OY`!`o{E-du@2al<D@fAy=6cJ&t2s~4^<
zrOFGxP-|lgwUzk}e>kLT9o-6(T~Az?dTn_m5QwGWdlqX;-&pwP2Xpn1R4A~HXrjSx
zTR1hjB*_W|#h=Js@3>}mRZ7Vdr@0F9F$_-A!T!SLG{=Mlgaen3v4ER-+TIn;GZ^O?
z$dHGUL}Ck#Uvm8r4O;-B@j7Q1X#C`P9@})i0OsJu;z2>(pIQFsrKl#M?0#J7CpEA=
z_(`jR#wWjWh0bS0xr~d&Xy{N-6SKXv{Vul0g?s<0Q?|%LgP0c&Y}z6#5J<$^gT+?c
zM!3hHc*>EP#9ZQh!jZu1J2bL#fVS3fYv}+>91QLl98WMSF`n3-m`cnfp2CTqfSK{E
z?P6xeZR8ijoamCrEeWg;#J%}tXlrTBr2{hoHXdNx15<&Sz*B+q0axH){0gCCD_<ka
zE>+9`3JnlR^o$1||4_2DUF_^Zbzs%P$Vg2KWs_PNiJh(|J{aA!B+aFW!`i=!LX3np
zgA{T1!iTZh@lS0jl9=SS!X)>gB^0jwC==@eEVcPP8o%VPkB(SjddIyLepaP#XyxKr
zXxL}b5i3V$tsGr7%Fi3+gfhwrWpsUv#LD``@1bGK7c}e(pz(VPasnqwbeZ)P{`Cs~
zdIghE03ky}G$fNG!Tt{|jzb>mqzhvoCJcRh2(cep(=~<^ehr0RLqW9ajC~Egm(Icd
z%l0+&Zn_5ce`NXT8Wca``xii?xQ-rI>-{TMllrEw+Bjj+IrRy)VdCzIy~x(z<X+X6
zELQ!1)41%oJkpXWrc^m8&qJim%`FNvSTSvLh76j;W}DPO@St~!BvjyYBpnY_*%lYe
zaCuza?{RrHPHgfd`&KEO;uW2Tzw`<>VJiGsWoVS|jq<(G_4r-C<dQ<yx8OOw&*cbj
z(9l5RUH<9N&=$OdcldZg!yZ9syw5*fzkYH{d*Hw;jV{t!M$h?z9|M`gH9vSK<a6Mt
z2ZAUL_aXw?XM`14>R5U&o_StN0vDa62onA#Q&#7I=hWn{<Bn<g^(M(yLOf_@5+;#u
zW|Bw63(s{8nVCK`EPvN}GqY-KmttlTu!^3`SIi8+JHhAjqh@9$8rIeM31e(@V`gHx
z*BlzNT4vcRc#5kwZKfAftOg{%$L(}^R;@%rO+uPXBs5tm<a%{Br615mgw>i>c*v|(
z3QKy2*woO0A#sR~#m6>}7S^xNj*X9r(_=GZqA(_piDMYohhy=9vF%$XkBT=zX6;QL
zWjh|`Ie%nKaYO<{*s^(4{ouycbt`UNPEb4gBk<v}Wn*|&R4a!kOI)g!gQsh|Lt|Zq
zKsZ>;mkNO#06O8WQ1MEO3rL&_;>-k1fE`5!*B>#v+OmZEL_MCwWj?}13>`+S<nmFH
zJBxa2gN^Tq^xWRq^iaobPpn(BGZzm^gI6sqi!RM2BxlOl)Vy=OD0U35T<BZh^1E`?
z4TH@ad(^&l3rk1(HLl|tVHT^1XLp24-8;73zi!>c@IwptZqnm0&k}N88E1b!RkNC_
z{gs7v+-8GRx&g=ftaNo~q2s2(RH2YsI>A2j<!Y|252LD^<Ntz_HN;DttjReUxe>*Q
zKE4il!|^<^gc=>orwgW+v!r&eFy{x}ICqY;^B8zk8(u$~`JrJ0@X&b2D$#h43u(?w
z()>bceu=cneIq7UoXtfA84Xg=IL6;*ayasPOQNfoLZ?^&)&9)#^;r}o@9Pgz2?QBS
z7Z!L+EMFm9==W$<8{<>2bJvK>kv@OmA3=DLD1~zp;v6UV>dHuk^^tm<M5XOv?c;6U
zfj;~C;R2<$xhK4wQ+PSo@Wy%YJkAfr0S7>EJq|!ZnxC2G2h#k*H2<OWecqrOq4Dk!
z`if~b2iol7KXjEqHyv)mSK@8b`0s6wH@7#ZnlnvTkCR!vJ&nBsP4|K3sit_K$+kDA
zn{!P^+8Z}BVcTtDnwi4dF0Yvht<9&+Ox|{z^cmfwy_vq{n1H3f!JlX$p9e%;O2iAE
z8818FWnqNxX1zbaEF|PMNtumwp*w4io7>GP(>ZO<m<LRUV9KV5pEhUtFyPJY1Gejg
zKzsj5*GVL)I^52p>PU1ll#g<0i^CYcO{C>hJ_PbS2?4@~@gMV>V4Pm*OliAP2!X`b
z{rAtWyGxIU{C(FfER9+X$vHZ9-@X124aC^WKKM*J?QwYS<#n5uJ+!cUb5`XZlkf(1
z-=3YHSx9e<r!mr2?O+?fv05X$Qv}lnnhoPDETqLiTW9Em8b|{wz{6>6n@%PuYd}LJ
z^*ydHP{WGSK_@@WnE={VE<)#{_!gIhZD+>i(72C2r}H%Wa*Ak5bH+Hu#R9N3p}|4y
zV~vYL51^*gnF$24JjBgK5e);#B7PGJqOFKbcd)19hvO)o?mLlw!{?6tLSn0ZE8?3w
z9%i5OJsy4|<;hz8O(zd+&t};x9sj6_R+g>tF7_sZ+s#=O=>Ho)icWTl*5l6Y&MD`N
z^MKRsJWC~FMy$XrOq@$mT|#w|TdlJ0Kp9h7j9-7#vw_T-XS2>VsE7Ij;aF)pIhwzZ
zMBueszAb2&(7}m0+4|p>-%eez3+aHAQ63dUuFW7zM^F_?EOwTpqPwJoW4e%Ln$F@r
zw2~gQqCr__DF;>^{)8^5F06<{a9e~L0B{hF6SM}ZL-g2E?h)^CKOj92dLVLt{GQ}J
zonGY2*_m>_PFZQCupowh{#n26W(SGdfws02eQ+>Av9=h(y=23bMB&t@@4WX1dw=l2
zZF|0VWAn~yW<PWDr|($hc;;)5KJ(y(>2G}Y??3&!`$k8;_Ry;fKY8kZzW2H9Fgh;&
zZegwCTc9;VXo+2IS~Hh&v~<7JO&S<EbFofFRY7-{QO<*-ItNQbz4<-&aiDR5^IbIB
z7)sqyu0)(6w?=_ql$o*oP(NzL(BP!oV{k4ka4sw`P$xJnywUJSgW+EGLLdqZR3*48
znC;2Sw#YG||Kf$`i4glGqDkPP+!K<tbQrzkbQ|S7GK#*C41lFik|f1#ejR6(-62C@
zY6zY2Q*WpP^rlB-+lfqRIJhI2=P7Q|gSv^TKP@dKAVy1GBY#MKTyZ{9WlO6gOV?FD
zRQ<T}@#?3%yOrJ5Kl6UW^S1YQzF_atEse>6y9S)rQdajm%4Q@AwMu=YD+=Yx$O}ep
zgOL%Ii;+s%;jAJ3nR+4uo*we6$xwe^R+^E-?b5XLjO37hrHd$8cbk>c^>KjnL<AQJ
ztY-uCT)FMT1jmF!8BCF|m^Kn~8GaG@&lbT(m5L(-8+{pS!GNOmdeam176(d!Qg5;8
z>DO63h*iTksIxwQO{Wl1n{>e_sU{upMw63{VxxmJ9XrfJ!5pM3x82NfXhMs;(PcAC
znA3};Cq<@}R_)vH=O5nr*wo*x9W3`JTI&{cb;v+@rF<q?WCOm?CvMzv_4OaNw)EBu
zj@GW%ci(*1pZ)OM{=FUHo`ttR(#TLj0e{~P$44i7lcBu}e|L9&c*}JkJNCbKUYCrJ
zrG==Bcm%XuX3w`Nx!lbu*_}-&23H}BWR|rJt}E>mplWRG0}WemK;s=d3Yq2RQ<f_l
zI0|i;#zPj~BNW>pms?UOfxJT-jJu7!hQla(k^uzaM^2I*at>Aq$mtK=YUD{KrQtG3
zTY0)%3E#cjw--gFaDk*7J>}%Aa63c6y=kzyC(!sMHx;PCF%8*lw|QCQ13JMm4Ym)8
zf+ENpfRY{V7yHAOXoWxH^jO_&TQ|!REpn~?k-TB(qos_oT#)?TN=%oTGf9ONTQZzu
zlc<>Kf!@B&&EUv(*Rq(2L{JLZY*uH}`izcpb29Y!IRI5%`gW6CNK};)<j6JgUBGa1
z)B&QW=eB|%d7@hz{Knn7yC8+Z-a1GG^SI%nZk(`b>)*O%)_-dE(CUFgesf2pqo+3-
zyyohK%E~TPas^Q_&yZM$<C*V&|JtfCxFTkLWMR#E10uE%=UVSAPhHhXVixqW<Kk)Y
zHPB0+bD&KxMuXE!1DJW#ePKKv!FW7^g;Sc>K!%YxVdUU+dXo!WG~ToNi5|jz9<LG3
zIU^Mp+wEd^p`J;x&KT?VsP|>qEvWTW)HSwUo6<xr0^AyqV31UGY_Zu2D`bSkGo<s$
zAD)zdX!E;ECTM>yY<QjB@l2%V61)36_GQ$_Iv2as^`J|16}vslGi*oZPXIe9qAm^f
z@LdbBNB2ZH-00W5A!>RJAadLjhSBKf)PlI4y*&X*w-p$=ty|%h+d3kj;F%5R6p@bU
ztEyEo5~*4KRuwq|$=GDzrqX`-iv^eDK>~rfy)o68Zn(pZqfECR1&jP{@VlWCg%ibp
z&c9xGqxzQft^8Ysx2yihNOf!VlRbN?``A8lpJTdXTANNycRt>;uNI`r0+PcQaCb`8
zSG)c(@9lKNV-Zv$Q_WQMN#B#we*FviFBJTdO0ZmATiwvu*0|rizxqh%Z}QJH&N$xc
z44B@&jPQb(VOds(zw{`p928!t9c7xObSE?F3#p8j)tId5cmedG`T{EMX;xPxg4m1S
z88-OFm0|x&sMWjsP$mcuRr|E6Vn(QyRxDnp2P=Lr!dQgD{l6wOha+bBr>Mf=6sod1
zfM*)CR6|p1Ss*s5vj*F4Oc~RLLpOR2(fAhAQEO9w*2bS<a8Uj}kN(XQ((GamNV8TQ
zuFr!P8JYw;IE~LCm?$Q4`ijJU=nfLJ=|a#S3kLmEp@!V4lSm4q?EYPUkm-*k7u%2V
zTut`{2T*E)v;WSrnbl>*?a3-IZ{4Q16GIqK15er2N!k5i{XF`Qo>{&RJinEHt9(#K
zK0jd9l+3@yQfE<+de$-P|7viiV@8`v&2&E5_2v9*Pk;*E5MF?A5SAa4oEAP?-Cx*W
zMQuU+I7=z(YRgwvTg;MLA{NS*JSerGe$H8{)T-f7l`qIRk~5K!kWMQIdZ6a`Mr{?~
zP6BigW+rU{*Z|yJZRcJdL=g|V7ScEw5>G`eRXsxAIgfB3P7AjjauD|k(gn_2ks$69
z#5q`!3SVs3v8}ZI`!${o<;76(0v=N3#S7X9C~nlFbira`0%D`Q;Bq1kC2dHY$(8Q=
z@XAekcH8H_`@%gN@5*%~g1KDh*FL&p^UVuC>FL@3;NVz8ks|@eGYhYN;p1z2mXyuf
zs$0Ik=gEwuu~naY;`-K#kIW3WHt+mOA{<JBhs7@btGLYh63R->w|Q7GZAGBAr8!p5
zAK+$kpd-p$QQnMlK^9#^B%tvgSK-h&Z$lHJes47#kD&@OraC~la^&PZO8=cZ(e|YM
zcrnxEvWrYj!1RZ)%GXq>WwDKSdxrbG@J8&0iiQ=VGp3LY8cwl}J7R1N&`xwa3#5p9
z`%}!tRX7(nd0kuzy3j$2g2DTYo^ttzh8>5AM$?^_<zIzkZAa!$ZQVL2BW$~sheGil
z@mhf|526F3fz~#*O%zAcPbyEUFLt~bKdPQlJ+o={xQ0ZA4Z&@JZNc9pVJ~(hjie*q
zfr{!5MypurDdy<tZTHsEi#h}DK$AKh{{bMbzeZ{9TVtv334V&sR8i9?P^+g80634T
zU{0s25F3xOX%se(%FzSSx#+3rn^AXkd*?TSOtKX?o=bzmsHhzYcOGi~p@QUT<cMMq
zAEAt70)_oio(jB~19PC6?IP<{X`mV^Wn2voHGsbX7LV|GNZCSdzqPNw-YDm;R*d}g
z^4gZ}zZm*dPr`J*wD3<W=l@~yYP0;&TN>ML5pU1M?^s>Bl_aAG3v?bc%N51mHdVz9
z?&$$zBmXS(>*coJwyh88ysiN>?b8+_Sn%6w{6sCneZ(lyX9Hl+uq_5O-s7S9NMX@H
z2qlYdzaC1u)722*))>RjlbgmX3CLDB32hd76kMDrJxOEor0v3`?1d}zsLdW57VPj!
zn7BF_0t6FRwJ+&sULqeRkx|=@UFaIrK(cu06HOxVs71WqlFlhlchdn~FQK>Za@s?~
zj>J=gduJmNqtvE7?w!So{Ic9RTbUyhas))k(J9aeVaBAaCNs$0q8lV14j9e>|4?>V
zU!7g8yEJcf1K9_;4Vj{m_Zn=}lkqOs{l&ERC|hAgCFCSPB+(-ZNq))i&+(Lm5GGGS
zb)G3UiyAgg#$hNCRfCspJUSB<r?JAMtweNso9sYzrI+m_g-d!GfGBXPK-y50uU&M4
z#Lgu&3Kt!6sxz!~hP6&qn@GuN<SY^ng_0AHuSJA-Irm_Z4go#!G;?k01Q5k&I&MMU
zLDmQ@ywh{<Lo3F1Ry&7Qv(d?s$|u&fZgPBa{<T@2aq#l=HItv4W>1dxr&w`*|Md9a
zdeL*;5R&*2R{@Ql1C8q9OE!%j_W1-Y;^uWt73k$U77?LtU?Y(`boT5BB9*+1MBB07
zmy~=dWSe*8@I8NwyXaz3x6)0tphVmvKZ5bC^M+2>Ia#^<pUSMmQvC5r*p2jBeUTfb
zEy)k5C})cdDSxwzq|nVB&6pa~^1d!9r|6MFQdf0t*w>PV5g2W%!`fQ!8sBnhMRJ9@
zM!UoNm)<9Rf2DmjHQV*K!ryqm;rqJ!b)@Y74*>5EONWz3)Ng6WQ*&LfC4VdZHu-_p
zGwVamG{SLgAK=?cpS{hP_7-_G{J3G*+kD>MDhl6PmfATG?s`a|>cCU3hx9*nJ*@2O
z@(p_jqyc12z2ctB{fp*#OnN-|sOlJstWJv2WGoXEQhG*+NJ<8y;1MM4YpR}9)n1<z
zL+*Y`(+WN>T6{VxOfj5c(FoKg!L6x&_~{{@wn<Eu3cySqmVPL?q&+@>qHnWg%UyrU
zd(8WN6qelMQ}59z`B)cx_<iBXfRBDBfS$BH*x#hhkw8=M&B0tc%3eGycd_X%`)S}T
z`qhWS(SaN>Rux#you~>%Y(tw*zNLb#Cg0P}(RNo7iWcGl1k^-m8k`lyrvJmr7mz3v
z4yOy!A18gg;>Giljx2gGuQNxm^%bBm!&rcp0$0VGmK1Gyb(Dy}!i{TQ0E`g)i%Ip-
zC^wi(lu_?Sbbzw%0jf3>_DrW?cD(j_!s|z2smees-??zyTsRglXO(`(7mFo5-@D)z
zgG<sOU)YaQtV(9(g?AjT!Mg18VzdM=o_0Nl(NcAsY>$>wE~A9RD!F1pg0GbHI?KhZ
zJM1Ph9~r6F;WxOV-i1A8jtM15&*j7wlby8o@-^%v3>k1&S|>|Br%>h>-;LZU;U1)F
z`|kl}*l%CGTJ6c@YCSY`z$@uqBU@1f<;PojaSihRa6dX}7ZD&W02Ur;#tj&lO3~13
z+iG|CrfP2&-!8vje7_u^6Anh3{Jd9F*@0ZGX6_hFtEg<6mupU`lrB|Et<pr|>BQ5?
zr%PUcai}n4Y!KG7G0z(Bs=`WRtUP8u=9!kKmH%3Nto)ccUHhv1MLM~7Ts~GjR(`Se
zYVp<b8^t%ur)pWug@RNnXTn$X7{0RGY$mRiuT{ofH+VKBZ!jPC?~@-(KCV8Vf2{ae
zX}Xqp)b~i@(UK$Rn`HON_bE<{3B1i>QDPp93OS)<WIdnD=z>|z2w^Fd31`(z24?*u
zhrDG2!gP;iC5r{reDV4`1+yG8%`&K=X!Lr0F_aaCcA|C^q+(2xiuppJH>t*wN!2W&
z08)acgOl(cj<d5EL>YGWP?m)i+LMJ4bQ4HHS%v|x3nCrF{0=w;gEV;@^ZON1)BUfl
zaM?m<fu!AYbYxw-DEgo~>9}J%>Dabyqhi};$F^-%Y}<CyamTiO@_u`N`|f?uIQNb_
z?pS|JtXZpS%x9IKHGeaYr|5mnk~L-7-Zru=ixbF<o&A!F!zvGnV><G_xgRK6m$yNj
z!LBEvc(g=YIrhJ~f36JfN<&bWffIA<N!(kLnj{rV5uM~`c~3PDmwI*w>0bohkP#k6
z$)rrDi14Q$WDl#2%jJo4uIudn%3xIxQDk+V7gX1q;x_h}IOj=eD0b{Ix>Rob`i`s*
za&Gl?ap#;J$PSIWW&ouK44ezri825aDO#D@^T_dgg!*r5Q*EHHP$(K*1(nW^5H_@!
zw~}%@c{unf`oE8j0dV{^3Kl1~q?k3njMC(BAggB?kn@!Ts2LdNS$wHx+Zx$?e|jIY
z&s&sfA?K3WA%~^K3jQLoc6>*{lCl$>+cb3#nH2N4!ZLUoaD|8$^}_VDafaZ~q8p4v
z8@Faf@3Q^y+GZOJ!Y@jp2IsRk;jCYL_BHnXJgO7^!I29;0BeYQds&A7aZf%8kJPc-
zS3SUTD~7X^4uNA^S{88hm##-YnSImxG}13V5r>?^^P3hBp7&NuP8p2>^mZB^h6i)d
zgxT&{(VeWTj;EVM5<jXU_D|Q}t{L9_*|`Gn>Q`O4w~;4>e)Ou|&kMS5AZWMUi<ieZ
zRYA5`PD`R%#5bXJh0KaJaCh+4*S4{2<Wx+SlBeUR5Ea`pC&fEYS3KFBADuTk#<pIz
zJ5t#i?yByb?j4Cxt$hyaP-^uKs-vnhqtXi@r0#BguJeDNu80gOe*0WP5JmZnbe1Zp
zQ^AptmdF=u#g-M#S87_P{(aBPBShm9><)Bn;P8~`K0YOllzFO;^z$qJRv`p_5;9zn
z3_(9=SdX!SUJWih7g&jmQ21E7dxfzW;d=OJVDa1AJy|URB!k6clSQV0A-bfqWHg;N
zrKHq@JII7#$qEhJzW>Pjn?aN)2!BZ-U91^~$YOV)j-+IC&+igUQ6GLZ+kBmZWf0IR
za*`xVSrX!VBSv#5N1F<_51WZa1tBD<qu44&Ge$>x=!|3!es3k7YR+R23B&sq_E3v?
zJeRdzlSvRhb`oaw-IgaLMw#HjTA|hi?nMKtbp&OD0)PL2h@y#RT1kLpcu+gmZj4&j
zPB2_H_A`^)1~!)2f*v_xV@Wo5L|?^SBtrr;p3}E9DS*B3LHmu6>FkZ$zHzF=cby9!
zGWl9H9hW}OzJMrnvF!(bN^m;znjiGHhSCy&#Gap_2<9nQjJe(iKbu0^GHboE#>9W>
z2O$2qVhX7d0#JpwdC`V*yO+vO5i|y0OGoQjf@KC%W%A+Jpx)C%z4>xr6dQH1)gBKY
z*!{%+_KbKVoA@`0oUo)i^!rx8*htd1CpvL8ko2f>*fKq-A#nK`lD}iI3alv3hucKQ
zW^shDRloT;taBqK^}(fHJ5bNf;5@iA_cztY2lCx^nVZKmR4F$ZX}(K|mFJ+Xa|pN&
z3+n0yPOWH8CY}18B5tq3sCk<WuE@8C8~ST~q}-u{obNCn#^U~<4`sRbW|Ru~aTaSZ
zo!Z*L$J=J(tQH3Mfco<5A#<~(t&x7SK(tb<tEQvGbh}Xy=rq61SJC-FNnboAT&H`{
z_Wtm-tRM3q#X8I7c^EO*M-J#9b@I4B9y<deiG_q{&{gU$T@mOPSbgeH1QBOEcEul3
zh_q%UNj4#N-Mx{_)DTB><W~Zb65BGA;4bQWGI8ne9V;=#*3uwso@k$<CuF0Jo<%Zo
z*D8Td(unv+!(QzpN=}FPxt@WB42dTAX4E%7)cwiy(Br52`@y|CA&vB0bolk_9>3r3
zxC;pVk&8zxB*~p(^G<X|26~O66o5BAMfZO0c>JMx@u~_{ySM0)l%{%yjss&HNui(M
z{Sr-DH(cADLS7iolNZhxUpw22Hcq@(a|$o2d1-m7d_<nYFUMDX%W=?U;ojD>LSz-o
zl-t`$hgh7G7G5oU0iAU2&MNaB?L`=}rK*%#wbf3$R2%8j6z&WZmBoVdR|jj9U7(b8
zf=87K)6H|+pdjA#ts%>j=Lvu0if&Qn(&K%iVwdnJ!@DLAug?ASvFqlNmiswjPU}OJ
z&el|o?@z>4Du7Xb-K2I1pq}!-KbcLg(|i%K<0`oh*M4W$KF^~9^5-K6nxyJ;?B28f
zKz?IeG5g$d(7<z7U^i5RA2G>@kNZ_iE)XVcJwoneZ!@K{J%yc*<@|)Mw{>=OJo<iD
zxO45IqV8Ioc~=ILgX?whQgj;P;aFLhsG)+P&5krx=8zAH#X2_>9^~`jS&wu593a1x
z&^j{`B***q=f=X77_ZC2L6tkPav$7*Uk`mtf6JcIK-})fv0;rVoD|Zx$w3>(DowbY
z+3D&8U#f-SDZkGBbdHjn-k2=+hb)%d7sF`43Y|iy8Zs+@L+@t-5i$uKa%SB)cD;Yd
zcQLX}S@o&0`8uH?FNf*&U}Ov6?ON#h9{v27$_VkGqZnvFWdy=&r{e<?+L>lvq%;bb
zuH{Jdy4zRw@v-*V8a`Dq*hdYD1jT-NebUlRjIG8=TfKwxyxGZi&2V!?$*jg|<Mn0+
z%^a?dpzhYb_l91PH|0RQ)Wcw4zW~*c=P?#MSzVa9U})Wi&<+0a{@apcL}zC6VfXF|
ze`*>+g$V=1$^{Mrqx<^hy6VE4Uo2m~0(yH$b*H04+3wPd%A_LlAWB)pdsb0aM?|S6
zzc0FDYU@kPJKWz~@D&<RJys)u-pphMeS18q^vb&5PaZ0zpj#UQ74t%UNJt5N4*K5@
z+H`_eikJ1!j-68*UpS4lV_=qH*nY4<BlrE%XFAx)9>Dp7kHkxjGXR?@_B5#=fIJ=f
zvHpV>I-_Zwy~*C$co#RP<z8ud!($81)pzGWE_yeX;Ej*_<s|KYckcd0W&OivF|skS
zGXJyxp9aG}&e^|Ft^bP{`|`S+4V>KVj0xzJ9h{B-V~3!=qp_&%mjOm6Cao@{D)4`Y
z?q~#Ut&C)p{{!**Z%7&QKN_7P0p0(1?GBoO;foGaGdFTFb0h%#%d`8RF5AD=w14;h
zBi;SS_9d(Rmk9S&|37$b|G07gjQ@A}PyHWT?%zlGr~J2b$MTPE$IA9E*^Zuo;U6~b
zf8YLfw_gMQh1>mS`Cqu*SNk8*?qBWys6(^=1K)ks|9!jvVDbKW2>%}SKR~#DX7YcJ
z)_<Gpe*tQ;`qp28`+p45my!0LD%^jBOHk0(jo?d#WBH#d9OM6g6^?<0<Nv_IvHTYc
z_jQK+Hx`cZt6xUn?O$Ps{ufX8-&weSNI}K_j^zE*@$WhLHw*U<-}rUL{hNhjWM*Nf
z|9@xUIy>Cm0E72zypGim_ZIc6QfhNaMpAXuE6L4&YO9;iWO05F!l$xlNc16@62{h$
zoc&BLG$v~(<X>4MclaR-Hb^sbE`{CP5QHW<_mu+!RcM_{Gw^W9qy``8^ZK@V=>F+e
z&FyH?&18Cz$>BJqWvk`8B56Rh_Cs!OKZP2XWDJ=D`fBV(23trnksY5%7#$y@<0{^u
z;|^7Dflb@(`oPaXi&H>+zF37SrHXuLl%l6iMVx%d9G<@IBtA+FWjBuFx2tZ4%d=6}
z9mb9$t%k?o-s|XEXb7#g$LN^BGif*21bo#-jXh%*^wm!9Jr&vbyhtGXYD>xJW5ja;
z@At^K?gW#%0J9%r-{J{j7~(P4sf450$JHFU9=t#0*N`l4$vCTJ%brHs8|T&k8lR&I
z<!o`fwDUVPl9#KE)x$2#2M@Q8w1PdqElo%Nkc1w8+6g<?{)wfU7A&1?0RaQ=dS5ff
zu8fCNY3)BI+th160Nssh1BFxllsH1^xgCz>j-ls`sHOSMGF(p}>J2P>nurCNnDRAt
zO=)rr9#eX84P)V0V_j8Ui@5n%g%vg>sXnegqGqOFvlg{YgNl{0GnI2;MWtd<N7^Qh
zn!8BUDk5L~hiou*;2O9qm~6o2nmB|F+4{Fk$*@`nz_v@zc`z4riM}@Zkwt~IPttE3
z0nB!O;Xp<^?qfBEvjfyE;2bCwCnLgzeo}I&axhq{I`?nUr@SiKB_$tnm9ic|_k7J!
z@+Zl1UFGX_@WRMYatRnxAJPz%)ipA3XSl&0c}8vT!pU5sJwtX`5#_{0bW6A-HPsw9
zDEqM(WU3<SBt8}r_G?xjtC5q^<h5@fTZNF(#O^+Hn0~t>njgq@sL?{#JV8#Vo`~J1
zBYI_M@*jps{%a7!2^&{sNGXU0`+Rr~i8TkGiZ!c=9%9fdS`73gZa~k~%(u0pX}Kp|
zq_EI8e9(a3d|<F3AF-bd3{>x4RwI<kw*9YoBG+QilO%p;wzmLrmcI#aECbajuhzYa
zUemTP`=ckU;Gf@olN61>yQBBy?+iZj1sgFq2l#@s$KFDOJcv)XLcaH^yc2!$`Xbur
zFEAuJL@c2{OG!XPM;W<^+g5F^nCyfwOz7u|2;)<@t6v*`q<m)%eB>FlB_<u=n$VTf
z`Ym_6jH<OWLimw0_R4Eq`PVx}Z;+nes7X1d;rLlBHskOUKJruBeQh+)O^C%j;<h<~
z8V9nlD`KYo2h^L`5AQ(pmmf;Eh{XrQcRR$?ntk|UQ}&6YSC_E@A2fBy7y5xJ7(EAI
z^drSKj)a;z-oLxkyP;Em!h^b^lr6&^(^QzMp`O7P{ZWbR0qE{+5#0V|CpeW6jk83!
zcBK?r;n=&bhwi34lHuP-8f@j40{p@07_r^0R-(7B^!Iyv{8=<GrdzF?jlsAAY&Lj6
zCul?afNxP~iP=^rZvrt?=TGkObHC*gLbGhV|Jkix#$B&hhN!z|s&~YMVl_$LLL`|}
zA_t+o<j<%6&NCC9RM<NUR6$EBjzv7g|GIGRePZ_zO*QoB^$l#*m_3bafxd{-Gc>3C
zuYrv~V)*Fy5H%=is-uWgpy7y~A<wZgbTKq%M0`#<i3Bglo|9UHH5i`=rZt>b-?HJ$
z2?NW0ZUUAuBQWF}m+B{UmnNnH%dwaln--pI5J#2hwZ()z3kR@J{h1TCIa<2sI(3cH
z0Sw+Mxtgf*i$&D&|9X<BD!wA_#AXj-zieLy?#>uM*n@V#E+aI<*|4quSchV#;g~47
z&SsW0-L?%F@5l91(yyYNiGki*dH#vnUrZEVxek7V(w1aZ1Zb^%Q(aWOSJf|<AzL1z
z1n#p;lpE=AbiDYy=lW!1PoEfj$7G}55%REcGbql;mVw5er&F+WpMHGN88(|b-AeUJ
z<G40V3fLTAj|@0+@JgTzpbP?CX?*Jrh5Nf`A9jy%7cuS6{g*iIhr6y%{l~<|G4o&R
z6XYmrcL!D#0gmB;Nan#!bMDHGfx6?i`>t1%ann~{v<%Q^H`hKRZW_zjFeVN?l90H0
zzGW?yEgC~C>ZHR&m<h-M<j7NaG<#tQNViVUO5ebWDxEX~G}eha=T`=J!iaCc@gWSy
zSzozQ5`yxQ5?_fWu}cj)_24V-FuviDlJrj3{mcw(@(FQR`+FG(eobKy<&!+PO=9=B
zl|Mo7mSu<Y2xw)Fj~Y{u4Gqr637bP!;Kbs=+P|5NBWIgq4e~_ZckQ3<uhr=aOQ-(N
zqiuHOC3=GIV|>kew-VHO@Mn(syEwM8gYgrOq_}^MG2um&zp|~hqhtHb4$>3CS73G}
zAbhCSHA#Q<m8{b~F+Tp4*Z9urb<rz`!;M6s_^p?ST%{*=S*^2ha*QYR7rt-;LcRnV
z^0uail|i6q?#$>IuY9WJHzkYchDAekV{P}}XJ4;X+)oHpd9ZJ)qyr8;z^>3kL{8uy
zY~NO8pgPYI^aJQq$?45{z!T4J6sqR$WdI{$F-b`R&J}CUS9;f)npIkO$5-fmupW6t
z6bv&*J8nDMVtk4ZSJY4a!EV6yw2D``RpP{F@<g@d0U3#7hF^wAeyNk-^_JQjOC70&
z51qw_{=%Et!khSlS7?_M5jje-H{xv$(ZQD3#I)FioY;h`$i$)8#4Ygw2jY@42NWU`
zx*l&Q|Fx8{>xdVn(TC8;8z13qjL?B?&_pNUZQ{@H`R)W9Xx_r7M+%?wTaNlvCP;^a
z033E?o@zbP7a<(6X=0O2dGV&u{tg{bt(F;Fa0p454Qr4O!AA{{F2P3+5V5>h+FF@u
zjboi3R79qEp3bo8(4&@d*3@9ygzlgQCxUefIK{g`g<qVTJ^{#;hCacMD|3AU$SWvt
zx*6YCQ25E2Zd8b_u!CdB!b}#aPr;parr-TR7pjRqT~97;F%2^q@i4LQ8nvb{5>C;)
z8sf>|+zR5Npm=otVlWbjwYI1bl%QQ27%eb=v4i{!K@iZ!=uE0Te<xC%ugmQ~ugf1j
z5PNFpWw0=-A5DQ&&^RrFX(^jMWA>Z~jx(s<3$~>g7|(;oD|@sx(8mft#E<&j#W|3^
zdMTDSaCgp3$}>i>%$XExCx9Op;z}PBoI6#|g=>kMC{z^1MuJPz7*w^=#|l>D$-^tp
zzX(3F`L(u<qLci2>)<aqg0K{)B*_sVtfh|y`GE$}2J%+%>*Xxft30cLJgW{hz9Lax
zJb2(zff!T1&5FSO<*$!D?77b-qcl3&!1SIzE=}ksHRK;UpFf?_Z<derBs$mN@;6Mc
zgT&-7vM~O23SM09(q5JXL?6syNOihz5_O7R99<eXw0tD+&X9whN9sO$X)UJw=G*P|
z%2c6p$q0@pjjjk2h?jE31Ft)&h3`Ad3Qr~v@XStz4)t!@Z<^PP)B{l)&EeSbp!PLy
zVD>T`o^b%JEN&^SAU~~8PAW)Rl$2kWNUxSjc)GD~X>P1AXag(YW1%KZ<d{qlQ%EIw
zkRxWsm`4K0OU5if)g?RwcK^aThC8O~%olX_vpy&6b&poX*Zc>pbH;NpYp#b3Mr&#8
zC5T4ZEN!wQYR-hI-1%c>&ZOvhMBMGneq^zI6s|fBma$Qp03i@k_TV0L_JjTaId<T#
z-OL!*)5`i;{o3t)*-HOvSp5xL*^0aNw0p#ZqK7G6Ru;a7tO*^=J|7PNt2p>M;?|-p
z>)^b8^z8dN9?FzsGptgb-Yk8V9*fQ0;W=&u{7*?Ln~whJzYW-zN9UxZ8Jawm4`_hh
zhN;h;d#bSaEbXi^I{fJrfk5su{*TQSQ@Sxe+@ndg`X1q2R~KG;m!mfk$d-s!7VWIB
z0^>;A>37u*?FDB<(Y#7lC;3t#3Ng*P2)Sq*CO^Z4*IZvX;rkm?_-v>6#rhgp3~IXA
zW1S#Dy1QiFpd_GScS7*Zx<QCyp?9ko<;CPWNa7BhE)kO-a1tS*=&rBmU8^|JAATM+
zeBB1>)*11jI;@~)+o3s{{b}st&hW}Lcy?KHrZ3q&QLS==@H?a)39@HyOyPiv{LL3f
zW97s5T9A|3dA=y3O;u9+U2$2m<>SpdL)HCeEjdWglWt>xQP7=tv)k&K5+bE)!Zu#j
z<$x}UQ^>P~^8SO^6LCD7()ofkq799DwOw3iMI)6`?mRx(<pF-Ovq^tLZPWP_{nDc4
zp}XT$b4eZCb6Kls)3?JCcRYK1voX5U68Edez3QfF#k6sLg(u?SMBLLB@*uO9aLNp%
z@$R+1^PIF#FG7%0Mt_>+BY;vchh#|Ec9W#>aMCUkIA?v#n*2T9L<5ZkKvvJa%pCL%
zd7O}-0Tyqq$hC5Gtho`^4d=#c(*cWcVALPHGf=~woPDBrqo7ADcy*mi(l<f4J^mII
z*vRl)s5n?>Bm^{^-MqM<oj#G}3w$E{<yzvw7OM<Rn&gVufn1>a?Hx&EhRs6K!e`^X
z<U+3P8BwGUKgh{fIqph~U?ZjvHz*K)PfSx35Z!b|yiu?rrtpw8>l)qFA5$ncFE;P>
zZiMis+=HU+W&g5nA$VNfA)K;6Whe?mk+ql=<ogxb>~9Q4);<R6T5dEW6(uv-QE5~$
zzeEH6vQ~X!q6+_bAW1D}#gcJ_d-8jC_Na1=-hGy^^0a~$g)dtJy3r1T-SFQ{>>L(*
zNpHlsp=D{DeO$fe+5C)!p1~2gpLd(YkMSwu_|NzwQQ8gh)c(c8LLGW%QAVsYhrcW=
zexHaD)k`2KBi4`Pl%|~#s(dA3MQOpTnBckpaM;$unOhrK9<kx{-tl&zanGvyHJ$sA
zpd8$04xhzfA2>nAgFL;9D<2sDIufwpKWPEaB5%Hf+fd`TE)5^Q6$@3Dx?a5*rRp)F
zu{RfXIQqPY?!>@jo1ZvAk`izE1tkLZL>wYF1;vz4!h95^lH=}`rEnWEyKQzP=5l?M
zKGz4RkPBu^bi(T(M?<tES*&-6i4q=_oeWR|y&%haFBNZotjKK^<7tk&{)8ErzV(YJ
zAHnOw@y-;m8T<o3M|F(1$#{(+sw9`3P^qq{HiJl8;iKejU;tBV=*4m8#N`g#wwN-i
zJG;u<_Pg7t!x_v2<gA2ZE{JV|--c-G`+?8zEvf~{ey3lWAH3cnAAa45pG=xQ{y1bg
z@xHSTZRtAwjSkCY<-=83ZqWk_f|%A5B!}@4qxH<P#vXVlyaU=(+5rVOJ|EU9ttY!-
z!C@(RUA=LcT4LElEk3e3WVU);#j`dq*cVtn;@<NENk_K96@BD31Y5r#N63_A?iYl!
zn1wCPctl-Dar1otf@KcS?4(?KE;P$oWw!(b)~ddYNG@mzRgtm9ACBtZh~20;WWLBV
z1*BItglzf|-%zdVe`tMpedr`rw5i=ko<IVXEHYjoce^q8peyQK>I$*Dc^UbeK$iQT
zI;DNY+)qjb8km!&1f`^oKsv)O3Lj_0j(45--Vt$&F6U#8yEzbCxm?*?Lp_tYCZcXY
zc}HDu5N@l>`hZ(yyvww>Fp=HNAJ>8QL@WwSwT?S^Va>mysp{n=4GNQ-^qjSYoAmFv
zMtSzId!Bi3m~Jd9+KI<5F*y7<o-!?J(mRe60wo(FRrQ<>=S1!t+Ojr9@C*0~eRGG8
zD5C9t(faGgm+zX`A384E<2#hNfzw@EzoEW)ztKHUD`zY&KJgUz$a)JpN@LG=x>zj#
z;o3Fwx_|22ZU1Fai^ihv4nLz6-C#I5*+*SXaC!xhV~rd4E1>Cl5>n^z6!*g+;`>z%
z`WP|_r~$zt98TPNO$|#hii}i(zbz}~d<*xUHZb9=(R?|UoUp!jCGCvfl)N0aMSuVG
zj&}75^CI=a`IYQcl%ppdDCKCq?i5)X!WDDcZwu9&*`C}UwHC59-MVFGYwx?qyZe1}
zD8dVKYfyJ&tIziE_Ko*L?X6nHUM0gK_=IRNM!CCZ#I)2Dm{OWjZmZ-g^<Me{d6EN+
zDI;TcHOHHUwcMP?YH(h~3oUB4$eF{N>#EF}Nz&(WE_e)+;2rGIzT;L2UXvhe(T{xf
zTo?WDZD~JdGEF2nIX~)!#wiYYMsKy%YDAX&YubAHL&2G{sMtTEQ&fkbx=dHCb>T7&
z-=6md@o9VGP4U8$-NMrhcdM{X;U24H%H-}=;o?Wh{zLA7E(5mI2*-ldN0p{HFT@8z
zc{6y)e2eQ5(>j8^(*?0@{BVoVw-ArI_@x3@su9OMrW+QI-w3ns>aKuM^5<Bb_quN2
zggVzU@Y*heS&3c<^5`uL-##p?+yCT~-<HJoI!FJUuF%mum|J#pu;MfQptKZA?Rk{0
z=h@!~UG-dd<fqwH36Pxp2-)HHblf1YK)pJxHYd^*$ab?lFW1T{T>{u%zr|pKK<L8n
z2)|Z<SpnCCL{}hxsopbX_J7}Vp1d3hFoNV5X%~<DWNnVh`0HB%9ak+x$_{DUiS<^7
z(gY+MB{gEH!A^g=eKIuDhchRDbHdb?=8R(s_(n!6FpUpM7f&{o<Ho;HE*qCK&#@q)
z1NL|W67dMU-yK$Pz(2a8VGP(54IWa9MLeUz!zx%*ml<BnSm0WeD}OBOF8N3+4%Y$&
zZUkw(5p#rT6APz+qvOZ=8dNq1cu?~5Ssx9;p6R1IcD_Xv2E2?Axan~`xp3LlU@*0U
zR%(gaK=OEFdyY(xLQ&4#jy{fL<l?X$d2wu33vtzta-`nF?b+K6pC12IRP8B@{g&k|
zO4H!C7W&A*>q+-?_T%M_^_hu%IB>2SdR3T<!E=0+50hpW&bbis5R|bthuNUyY)_Zi
z*WW;f;QTLLOr8$kQt<cUaMAnrL}JukM>4FI#kYutZ|!;C%Pl}%9?G0>J@g0Jhe9K!
zh#Pn3XIGj28uOgk8a~SCo7&maF1DUH&RlNklf80i@YRO$mVW;}a(+l13jh?evdNfR
zl~zwKDytbYB^`$=Gb-qy#fTJ%vy(u87y0BY@6y_H;JRe!HKxjl2I!P5mg=+Q7v@W)
zFX4|3zup2{m<>hK2aAft)jdQ7eR%^5&2?!K5NbW7;_j2;871N0#3WkP6+iMxPz5Io
zIkXW^;su{`oF()0+uS~g0xypeJ%pZjC0hVcm&$!6f&Kc*Kb+lFor7;0_!g3Kn#>m;
zsy?QizHeAEJBi~`!5u@_E$a!-gvxKyz+DtwpaH+JyDleo;>@No40OnyoQ-*sDvL0A
zRahQ}driNIXlH%cwXkW&mEevS8N2rd9wjOUI+0h8T5{fK?z7}Ax<>}DqpboM>fRsp
z{isjn(p1H%lC!(Xr|CqnwcP>Gm**4h%{aGSm?FDBmu-2OmZxn)+;9wnnr*u|61RAK
zXEB}M^_K)~=~nr*X;~|MUzs~zTqYK*Tn5G+*&b-e=CQ9OaX1XdO2c=lvO^5sEd|{>
z7icS2yNdCZcGt4WOs(P3y?CE{1{8Kqp{;dm#GwxX?~0dmQ*)iNb?+6ELOL9K?-sIc
z2Gx30L@w2XoS5`!)36oa<|5oB#VMu)>!)A9>J#r3($i9E^OHkn5=4-O7J538;EY~x
zAf!REb;32DQB&g<-Mz&=UG$-)hJTvt;35~!Jjne}{q6MDUtLU{B|SS3DEDLB=yWfl
zD7i#RF66dMnK#WyN_fqWLj)g?=w{t!Fi-zj!%Q9sVwXw6({nzzNr9Qmhhu{5wN@jY
zOc=k#>Z`zjM>PH>|INhiZ0AK|YUCJanS<JN?KqPT_$Z}5`kGoC)N<4Igzl@FH!$01
zA(@^0_Gwg2eK5@nNayjr&X-?)_!w2;^6XVJ81xF3{|o1ykk?UQh<JGzJ0zHyqvlXc
zKCSyEf+&oZb_2xtU>?iYVW?QtSD~a}W~QOLn<jth47PKNH~ElD3MP}S(S&}gTiv6-
zQBq96rE%ffx=VUeYcpM)n$`hH?w{1DaeH;?SGy_pOS9hMm4TL7+wAr}z8YvURuqqI
z!vD>!)Z|?QV^zvt(2ophdwW>2u^Ew9k*`!^!!g&Tmft+FMKuqY(&;z?X)wqGpixuW
zC7vGHUK&5`aH3JCpH=%yH~sR{5@e2QNbEP-!5h-B(+NZ`Pt}i$rPqSfN_i0z{(XB3
z8ZX}|<p6{;it->#3u>T-HFinlz&EG(fM-Ov!~4tKuo!)3Gf-k5HB-UMb4?t`g(z#D
z{mW6E^Trf3Iq%J?fd}7tC$u@Ai~gXWtYtsH*C+ToHYkBYvTnydR#}eEOwxUUym}Do
zu$#|=bmdB<_&VYzOlo2(=4%EjA;GmT4{N3h4t-&JO?xX8SJF!jLb5?lpgq3#w<$ZD
zM7w-FIb0t$z2?tMUf30u=}Tp}QmVxm3(mYNoF(l7-wpO@Wz(00XP)ufC9XhXm-hGe
z=%gtz?YQ{Mw$BUqjaRCz-J*F(-5)r8E6phJ@?}`R)FP|A@x^qP%tG9=&Il|P$GI8I
zROpm;7R?vv9N%CXqK*h_s7bODugq`NZ?(3K93R!0%th4MzgJUYHw9TUxHTw?$Ob*d
zDb=NWMN<(I!`_-kA=v2-b8N_Z?A>I{a#ZO!^SL&ENL;LWu)KqA%ka^2P5jD@Fv(J-
zsYkzA)xW^gpo39XKT`Lk^R(Z(=Izk#iD|&I<<UtZ^=^o1W7d4L^54+jaTyGQYnJTl
z0s@(`d0btpE^T)`kG1YalCrELF8?rn^k1_Lhp5SxS7yt7f*y+$pDpZ(Y<VPgWs!=V
zD6^H@*1`i+9vu*l@DH=+%4fJBJs_!}R%eW=t!~w;GiO%Pr4K50D*&_Y36jH!ve~m-
zV%FL`KCFIJ5h;twHJk2gD$a?hTw;e&m$>+)XBGf2&urP=G`F_7R{Ps0nB6UW(-YV_
zw;j4WsF8e8q!lp}i^w;6=aHdU-txmcoq5d;_bNMJ^(*_PMpDt@PfKP+5}l0l0;APA
zV{L7zl(|f>wzlNj2Oz^XLYbO=P$!v~?RMArR~U_pJ>91Cm@z06UeDX59+K=xi*OE$
zAquLTQXejxP1oJo4)KcPz#30ecgD=7j)R|%cq7tx(jj>$Uc)ry9Z#Cis{vBSQbi35
z=mVW;Dda_)Jp!4Ot_H^wsL}V8;K57IIXI_WqMCphCY6-4nNiXM)vU9oo?FfBH0(6a
zQZ<ZIp%2iVAsB_eNu5YR=sOr_>cmyeq`G0Ns3=xX;-J%dmQ`#-R3EU&ySOg9mgGN{
zj`kG!H09;xWwfC24Om!JRpsT?+n%!TaaHd_&gk53vK1HSS?IhQe3tu9^~^5z07fL5
zyy@Aota4k=8E(e)&w&YSTORt4OrFKTD~xQnlr4Df;t_p~1<j2mm9oh)Y;CsWGlzAh
zo5c6)_yBmrwuZ(;$CD%aK|zx}1X&E$zMXjl7o-E7fRpD#0$1E%<0jCY-!A9`kGJo2
zBIiuVWYk`-f{8#l$YY)Xaqrgv5oUzj;6v-`guvLpNI%9|%QM=%%`Iagj6<l<?^HAW
zZc*&Is$Si;Bx0vW832Yur(B!T+?ADGyJd;=F4F8Kwi9=_&1`71B9?#_rrIFXB4cvm
zZE;M1I?Like0=%|XJTI3eZ<~mgsm=G#&yWKE4S~Idx|#4NB#A+=^;x~NgwF;zN1Mc
z=5}^sUsMW9j`#D%0a><}OaIxL1$Iu$f!eMub8@q4lZF$5Zqw6JHwXiZdde0kFI>yO
z-S0DV79k}e_xzm(j{r?mR>Y(!D^{$K<L5g5Qe-7P66JEH^s;cA{F2ag40Zw5<5Epi
zMr3s__6<UvnBc|+-3KG(O3Eo9l1k>7DJiVTfaUX^?O41~WKs32(XBfEA4#gCr+E`<
zyr$T*C^ofXWi^;;^~xn88=QtA)!q1>lfHX>0Gw-oa(NXNAMb@Gbk^v%?w1AckYO?N
z2l~Sy=;L&D2<rtLq&yynA`zi`i0Zt|#9PXe-hJ1k8@Tke^uxst1sQK2p)yK>9)!|T
zxxs+kKjg$1#sfA{@<@oezx@Q<a&Xh77U|#Jx_Jh=2OP;UF#RXTAnP-&YB+@<58c*`
z4uV_p5oUFdMhImCCW-m^;=Jps#F_!ar(O!%=v+k1eRe;uB}H&Dr7JIagGC&)*neey
z)5p8yf}ffSm2<ga6pu_1u;nh0&z=Pe+V7sC><oC95hlvlE`F`vF3j;gpFH4ui9}ia
z3D4#*<!J8@OXfbTs2Wk?irLUe1H=^@>SUSw&59~%(B}aY*ZN~SL+^NJZzu09POO7|
zO;oOabLF{X6%DWtU9FT^JK>1k(<G{4-qO5INc<K@ueaV|Pr$08F^^P<YN)ZPHO3Z?
z&zx>aHWRN;{qy#zZr97MC4dr3@jP#;P_NBE;KSPFwcn<4%1}fwL#+Nr8?o2S7WXGB
zREiWE44Z^pMh<$zV|vI0PLw20n7HB}Jq8HaiyE@OtS4pJ^WX1CS=Dj_Md3&k>jdhc
z3Bv+|=+To~>{frVTeAx66w<5N)N<0GQ8kYW(gf46Vhz<Qs}KcQqsfYF#IqpL3_FzE
zr4qoX;tiPg_$_J*O2N;ah6+;|Qy5*D>;_z0UvFH`KFzX!`*0(t9rlc^W6F-Pbk*`t
z>XJR;I=**~!My}Or^-;VtVf_mYj1|Da6}sR{+koU2B1{p%*C7O2lK8j#PGDXy8F4!
zjw%}Nvz3NeIkR429gLHEHcElDWT7S7L>yw-Ya%dV<?*wutP1k5$3%VT_Ras=&d|Kb
zck*c=4c%#$kK^cdel9M#R^YQkJ}j6@`*vQzV*~EIOtd>UVlZ;twXE3dV~-6vpA(G=
z(cdMc>mC2@-rnUInice(b0$5fuvCF}t69c&L}CItHN{{vC|V^O#t`9G@c1J7sw%NV
z&iP0DFi!eDnl(8;5u!G^UYK}Mk}3>(+5KzSR5ooR!~h7o*{pG6gP2sKnwqqCbnVwN
zLZ<}pcPy?jxDos%_JmV|?O{rGCRrWz7xP^gkFRg9yBiv0Dh9)zgk(^;<TY!+v$J}(
z%TE5~T8(VdqHj4H`i^$#H+8}qb&<<nn7hoRw9VtYH*L!4X4IquhRmbfqmb1T3S%88
zbBYXVB%+FfOcQL8lnH0851On{)SBR4LT{yw`#bg$K)3+sHEmg#l11^3$+8(3WLbJ#
zd*8OQMIha=nY5$Shy9~t$kgYH)LMy7x4PYvWwyH0poTR#lR<5)C5!JOP)no2`{U_q
z8`t-B2q{N`<@%WmW(VT*1(Hyq41ZOT(Em}OdenQsiq)t+6Mp=@s4`gocZ9H4-fteH
z>ku$zB1|DrfN<TK-Lc4F{fh|Sp)CVe53SKObJ=~Vp9x%@{tUf=JdNKlW=9_V_}wdb
zYk@u|1|F2-N)3(<(k9vzaei7Gl;eD}4UaIx0Tt7?fo3ok*h`dBO4@Fwt8IU2knP#;
zT8RsG_)#oH8Tq^s3cY>h)K)BQTv&#+spCl3uqeYiusL5p2KS7O3-CQzM=n4@y<dSM
zr9Y|lE?{6~Kc#qe)!OT1ZXP}_yqh0wA*v{<NtRNe%!m>(qs$1CF!cxRRW~Gz%_&Cp
zM@!5?>0|knbQ=Li`$@e<AEYyf-c>0Dty5T$6ZCdGq~Cu{IXP2*fGL~lmyS35ELU`t
zd#KFOiuG3aCa`0*vN{?5PTh(^SBj}`F#26&^!T==(?*t<qaTy<<*$g=EG%4W04A6e
z9@^~QjXvUcnjS2Yq8%h4TnNVeqJ`U9;SU0PDBtC0!&};;t5>eq7I$XOk3UmIzEEpT
z>vsM3>pf32DXgLf3}xGjKCwZf_-)%kp&{+QR(y|*ub1sv5{fnJWqq;T*yfrxcSh4P
zT6hO6XuxI*rSyv76WO9l3PSyHVZkyp5$!r!XZ@X}fy&VmhyKw34l%>u)CXWFj7!oh
zB4~iq0nVz6G9W)e3p>hBA)-N<bgDh`-oXK~C-yC+D&a9;1RzS)vaEIixN5YK_{aFY
z>6&AgN>zqZp9M(bY>i5{*mifTmqVcwsyy!)Asj8mQ8##D8Bh4Zs^Lr&2upH~Tu#}k
z6l}h`DFW?!#Ou;wTNV3)f@}|~<d+aWxe+P@gCt@|jL2)`kAWJU!>t2L)!T{Xl9?>j
z5!dWcE6m+E)Uw((*s|iGv@^88vt$|-63NH%v0(Ab`_uz7Mmr=RMhHwnEZj<U<xNZW
zESSKU#DWwsX-+|-qYCAB0n=KU{prVm==K=wH?9rJaeF6bn#1xjy}Wl1Q=e}e&VyF|
z^kx~rwp7u!-9vonbEoAgbzss>XQryly!m#wEmd4nByH^0Yh13nad$`7Ra(#88^^Y_
z!N}L{=CkI$*44TfXXsx>!<;mELTzV+d_*Li&BIR=3&-816*y~~pf?>v<WNY)h@@bQ
z`1k0taaAc*NRFI9nCL~m2P<x1>(#5oA5`JAUxiDy=46DxrAI$Kk(jewXJETzkjl+$
zWPW$$c$<e%ppdXuY@PA~MP)}IodoZqU1(d1fv~S6QX9tZ?;o<XNXS(TONb>tl0FPH
zcLorMT6pS&)!)i`@`}kmlbAR{+bHoe*5SbiE<-65POj1tF)|c4p~lTknWxc0nNO=r
zjry;L`1EKRM##W;irdQ~OH9!^WU<8<P~xP-l<xgn58}*Wc{B-0HAz?Xi^K<UzJy;S
z5BK0sKiRb%!1%-=TPsNc8<5m|w7&IkoemM24jO^t<Txq7z6jz~{6N0AmSLJ#8m%aJ
zPmCzx0r?)}FcP7pKQsAF@;$h5+%{|?8O1CLoqALV)~Lrw_JVr@<@FjIYYDg$7gNA`
zPM5ud2AVKox%gkzQ{)vWRw!JVb(4POHMnvdE>!VCaYg<G!hQQ5<%D=K8U{nDv_fNJ
zlkp(gNJ}Ycj00GH!}9ADXYyqzYiUcBC3eyDZq+97x3V|re>+trRN3nwAXn<#wDh@G
zsUQ8Bt49I8GM`25ZM%MV8h6V@QI1vzO9|D7uhrdu$mo=(!-7hzZ~%?I^XvOt-U(8f
zY|AIngOpT4rZG|8Z{>obAJ<Cj?<p*T=@8N9$i6dm?`7fhBSKtvpOSV=JmsBo?!i2K
z4_%kue0kP)^43Avs+F9K)gBVga+4y$rj=+Gd+FKfz3J90T$V1&dzN>6xgq6Sq@M)H
zizjd|aGO#4Y$w%^7r*3MZs;GsKFoak8DC~j^5t^?m->CG$-s;@tpiUwbt>`5z^aE2
z=P?PJ?e^p-u?XaU{$bBp!>b7z>-YQFD@m^b?tcVMqfA=wN2!q{kGOj^04Ic30Qx$S
zbaV2}1iwVwWpB0!d4Ebce_c4zKaL4&9<O<R*Z!1{9&3z8C$JN%vWYuRIIj>p86ipj
z;+F9?M9dMsm={zDsy;gP4lAIRl7!JXd^UIf#B$vR-<)X%U0?>PDs6<IMl~=fEbiT(
zhRm(pGPo5cq%W2^#6B<TT!JE}*>mC$^VWTs+p%5M<pVQu8FtkWA%XQg>J+;d1F@sE
zozd8@rL3!!+y)I?{FsY45SwD`xoh?jmGG`RG+(6kE}<*qyLSD>iJA>sIw347=GpCN
z>}DoRlG0oX7=DqrxA&=Dz))FVQEydokUpaCUl8>W^-Nhd=ilyiDq&h^uIx3a2eH-f
z<k^lESi{pa*wZmvnAo<L6$z~z^GqrWSEs>aCrzpsmf8X-Wbe~kQiA>5)Uv!-Oy^H;
zfVXs|N8pr?LHaMW-7&Chs$tswmaL2e{g^@s>p%OO%r0=tjV+zbaoYwz^GBYMKmTrR
z>;6(HOv@l`XZD{dg@%e+bZ|7iXj*M=Xt#Jq8&XY~s@m8Rub$=2_Gx;4zC)O|4c-#(
z)_6T^=u%xP%Gyue&(>%k;mK_eIRn14R$-kjr&-w9*6o8X1{{X~l?#hXjNK)C$2}f9
zt9b6#lyvgN0I+TG*~w8dZ?L$Bb?q&`9+K78qwv{gPq1*4rGfd}Du_}lB<YsfWgN==
z<rc+DPRm-_j$)JjEL&ynwFieR-PIgAhBy^@EHbj%>dlI-X|jXI=}wML0H@{?yd|Eh
z*V>C_&Q68HWw;Z!676Bn344YhG-U9!Voa@j??SqSZEgpmq<RnGX{2e*>Hch<>=f=*
z;%o$-lAcGNI*}1~c6z#kM!|{^<p$MKN={_lrBsYv1N@)yv&|>XC%SXxf*?4vFn>6L
zj|nwm0Zol|4pP1_%QuA)ZGWt(TRTcRocrY7DHQ1z9Pbw`G{X0nfO4g+6`HD#rLT*W
zjjk5`9O^qNY-rP<Wf!}rvQ<*v-3Ztdqr9Q|dZ{^e+TDwrsbhDQ;9JPDg0RR#vUteh
z4m}>3HA|H_$_)GxMabzilauPPPTux$7fkM8c+q$Ie*XQcY|<1-uwd17Ltxi-6BxFU
z0RJWehM+qE@mZy(7Xn1dNdb${9!q(a?`b%Y0?}DeiHDlpD3)3pho_20xQd2)Rnlq5
z{RY7uAi)v+tLSY)BhWv|!xinFJ2UKe+|uAkdL$Q>9hq`ki%ci!E1k#pttE8Ly-bu&
zIZk!k?}oH(B6`gqwmtJBI6cv@S=o|;I*(7zA1kw6XPI1eYKnOgYdp0KfE_?f*~!S$
zl1fXtO*Wqx95jP$4cz+6yr}uZ<wZ3~_6d6u7JKP^$PkwVMo!(P)so{-fSu#QZlj2Z
z84+LnyW$&!4t6AVRPw!Qxt<d;5&dBBlBt{?D@?s5W-NAk@qq_Y0TgXUEHY16@4$sH
zFGKvyFKYQQPZ7F9nboryMpOH?3q;XC1pykj@xv-5lqnHZ$kg>%wsp$fRzf*(zo)&Z
zG7670`Po#&m!*<a%3BZ#l!!XE`g}>TUlBf>6e%#nsp6?SH0%uXT{}3h29))jXi=};
zMZB^FF(C#FDus~{(whVf0AcXH_+L7r-UoWIfzG{k)f4vd))nmGl4|9U_W^m8v!2d!
zrTEJ{)pOb<?F!S|RK)$N_LgTl_udL{DEX%^9%WH73>kLD7KAiA;_y`vVcn(cN>fLQ
zffp-Io}csY0G)Q9sp27R#7aUHA=?>@1Lnnv3Lur`a4{Ealkvt84T6`8cau%g$=WS$
zkq<5F!ymU#)iU#gMAMkAS*D=#X2(1j02uABxbD#uulzg(p7TXMJg+2A6^{fT{?8F}
zI8M!8(yYU9@E4dtnHQPh``%ZaY0m5*=(}7;->cj^iz~Yc(b91NH>qRt3naUi7q>(~
zk)45O@-sX4j%;LBi`Q~8n}uN0(n!@(CB;M;;l}19ftBj!{oKS&ncLFsHRM+e?mkV*
zWQU@~)lmo73p%-dQTugMmAhY3vZqn3>t*5(6yl+=Cx_6|1cFz8JVZM9x@7ezg|Ls>
z;=-OU=7FZgm73^EN03NvJpJx*Lx23*#hu46JEBttAJmrdI63Y1Gju(R%k#<r)%NX!
zRwT`OChuoJ5#L*_#<Ulor@7?^FK>Ip!*$e39b1{lezvztilB(#Cwj<+x$l}#JDP83
z8f{x|h0njApOKO_bgGF32uE568*~ocg<-oWQAv4brg>j}bd6&bAM#X7ZRjx`N3xUC
z#C2XwZnr2!6kmBWCy*0Jz~D_KDE~AA{Z;uyA2}|B@o4;;KpqoZh=36yudja3gRub9
zhQ6Mw-&i<P&sdbLE<%Mz#<;*=@=BFei>pjJZGggzeDDey7N2hHn4OqmGVE&fTIuV}
zg=o}EfO$Wza0M|+f<e|Wh6xV3q;`NP+6_}8eS6Sqn^Dt5hN7^~iCDs=?t79E#AHBp
z?}#2_4(6yC1P$OkV;xY`JCJmovA#C{m~lz9qH^sv%7h9@MZH$hyvknecxK2JhY%|r
z*Or7B(1!Z$cbmp(r+h2<z^+S~Wkf#JpYlF&)YW(k+_A`jAhbo=H#(L!r~W77`DIyb
z%|^XN$8t_pmSdTfhYV9~l-mKu)`oVkS*`obY2Ee#O!%_C4Ocp=74MCRNAC{OWl?YR
zq;HZ5hHM+hDEKc+n<cx^=YuLekA6d1B*K>aB3Q3hra6w4j!Bk9ru9nLOx%8+T70$d
z{;%IZi=Snd`JQ~!-~iepB3FVwzjd)&Gq<o>v%5!c{GNGIc*`=#^Ef+s2a^SUgzxe?
zmj=$5llC`w<?vn10IzY!V@FHr^y@7L&XPwq#jA{11ibh%tYUfmg+!&I1y&5pNxP&A
zS?Wk`?1fRGNW;UUEP~4OJHP@Sh$2lL$AAp_98rQ055Z&<^0O8Kk1mn3dX$4`Qj{vp
zklBG0NEy~!43uw1+6o)`Fc1bJ&SGWSut+)e-yo1O_{2A8-4afs7aD&etdIy*Y84Lc
zL=Q*ey2w|c?dZg*YkO_|3G}gFo;xsxi{t3e5Tny%f4Ix)ei9FFE!1iW^KrP^spp!a
zS#dtUu+)9|-L~nw2T%)rNZ-^(lAnct73FHcF;9=5PGM5s{aKKSnry5<Y^E}bg3<w%
z0fJnL3(H5UE~B9EY7r<Z0%wLcR;$X_4Vf?D{Kknc1E{LzM?4!2hE>V|Fc}<(2T${h
zmf!`SRxIb-enUpYq_1O&d)|m+miY{h9Uz%YC|00q{4hbmxnVP@=g~Jn4hqIdWC}ac
z8ez8BAuvd-E4D7qD&F`7r^I(p)vGWMm9Vr2XIzI_#dte^CD7(?k&0!3dnYg7;YY&?
zGrWWgfK(8Nde?YjcD{LyP5DCzQfdNuW#W=)#RKmNA}#;ZH}xU4S0d*;LOP@@R+&e3
zn_gn2a5a6Ev3U4NP@V!9p9Vj04z!;oo|@^a-D+Cmv~3OQ>be{oH<g)`SuB<I=aL_?
zK5QSN?d}0*;Ff$};aIO6Z)4;Vo3a&eUJkl1Vl5xnn_RkR^};L;bBdAM-2x*u9#vl7
z@R7;JM~+-t3jZ_t0+@3p%~rylK}UL}k`v}TX2!6%YfKlFQ8KI2gshV}LN*9s7wXV<
zHFQY%2)jeZ6?GSF;IWc*ySjucHY=D)4&*RYByqt<^Ng^vwTjy{Zbdsf_}j|eY6WAw
zBIF`hWt^%uN?Ve!Vv*_h@+w`-AH2IStrCrYAZ3iKYPaZ(X|2Ysm(>gG;qT40;<puI
zI*P>1rszj5fIelB%TogKoHpWU(^;4YpWAeZ$|^UEmwuaGO*b!Da;eR-%t1s`C*mf7
zUZ4z>7lpmGSizh&7AVz<)^s$89v|Iy1NwK$30nkdWsj)P`>kl!HW`S0-%?`G>{Zd)
zgtJf6_>(&0UXeE0Y}bLH%zYelU&$4;=%6JrgcuVhN<UbXZof3%Ly|ToJvJb#0eh&&
zZvddrHlXYh>#H&3$8S^k5z29;Uu>)dA1*S|*YveutpHfCb{{FjtSX|{Sn5qh;a7H%
zJqbS<o?jcGnwsuis;*KcO|t&MR2_Tuk1^8lYvdcGN4QmH<^8J)Z}VgmZx0LaaaSJ>
z+YO*&mG@2h?4UNfR<lXJj2h15<7E0AQ*~7<8SYn}=X%TW>>6Iv3*9z;TLZA8%6w4U
zv^)c8R<cU5>pF9-PetX>gv!)o|6Y69xZI_>>z<4z1#YYUVJ;+OwJzs#^4HQ*CQo_4
zCCm=C2F7Eat4&X~u0RY<58o2I0zIp0UF*n1)nr+Ty_Vd*8EJ`1ISXlei|F@3{XpeV
z6G9?ovolX>It_L{(&$n%%!AE%>$tj7j5wl~QnTd3xl#<g10OQFl(7PXAQA;WAky@2
zNo=SP8nk)=vc8TaC(b=PK)KLGdbZ<;k|nMKq}DEqaGlE4*w}W_+!c|6oB9SkX1ISp
zyoK{j>~2i}GR{J8w82B1B&F&BRjc$qLBFsR4fe>-bVUM9B?2sE0!>9dks>f-n9zcF
zl))Awcg%jj@3>qFqD;ob#sw|M1DfSI@k#_{Vt!x$qbuY8I2`LZZWU1otfa1x7fGS5
z`GHr%jB|#e`?^Ds9v<<F`3L#W_eAP!271kox}QT_`lGP*7f1Tb4fMOkNRB-V=K5M|
zeHWbSsc;Maia|Awa~EMO6Myi}0SNG+({=>qOxYzk!zhlc=C9uyI;3~liQ&NB#y8g5
z(6qD2b2#y;A6CyPe4jI+%L~l8H}@Ko8u@j6U44ebGhAb~oE0iru@-~9sg9djS%Xg7
zhoY!D5Ve_sP)S+?m%0h_g9J(>ggTNZ5%#Zzi5;XV-<ns}D^*>L%TR!X?eai-F%d50
zU&IHcW`>}n$f!~X6geiA^e%uZ+Ga5!7Dg-lBCPhwTvH4R5sPbT+FPiEQ46%mOpasw
zakK1=3v%f)6<YVe!b~t+o9|<3POK@e^SCxZ9Ec6IvEFO~GKklJ_JHSHN@Odz3w}Kk
zH|A2P30%<K-htk>=~RS)Z<&jB7&+^HdV3~e&_E?qolJZBevGC}iFQmoEL(tAHZ`5j
zo2Kz_OB3l)g_W9a1<A;b`>u@P$NoLgEHR=b#S!tFUvn6Klw5(~pYy1hwYLwD1|zaP
zy)ZH{iz9xQTnj@N!$p@v=ap07&5GBe_~a~B!A()hsKIy~WnOrBXt>H*sAU{CzVJmo
zpj;X&SXl4CT`!t&o@L^;F5&6B??}%5_y?YEx9?2%Wc4G$?P{JIWzpZ2_pPfp0g>=Y
zKe%*c>Z%k)F(r0u7z)~Zut#jg$#;pBiIuD$Kl{uhp@xT+YpF!bc&#>vW8@4fZE>-l
z9N4PB4{}MVDA5wNUmE)K=5{R0P1Bj$1TVDLSKC@1Su!58Y1DLBSrDspGYQ-_^rQU#
zS7T=$4t4we@$4FFvSrB-*~08&%bs<tWsB@HjBPAqiBv>cvnNE7EQN?d$u?QbzGPoh
zLRpi_^82W#@AJ^}`+a|N%^!20>wNBW-{*bqbI;|vyk-^A|DYznf^F`WMPPHfK613j
zxBfd@ulR5eK5?=~3uSTfjf_vx59zm=F6~bClVKT?Vd!8ElOCp7M#*>1@^vqrE+z)v
z{qd%daW1IIA1}xfKd;jXeGDN$tldX&HKbkS+RK5!u)IrDYYGeL4S^wvWz*KKo0m4c
zUOca?YO&?QoV*j^dYziW#2AypE*^2@js6T#!wz7j_y*n4YqARZ(mzmYYWq$!t&5u*
zZr^_SBE@2GvdX#qH`>ll!sNj{HeD*BG}f=qkaZgv&9m#U7#?}s<7ukY_kuESj^%!~
zpw^~UjZuRCm#>~92{*F_%Cj0HB18HEl(YIGo)x~g$zn};Yb)CxnUlb|&LyHem@*r@
z782Km)klaWSJG=d;d87iGEWP0nwv*-O(=guN+&@KNRY9!C50S}(-cT?NrvR44c3^k
z6q;+<Y`zv<mtn1a98V6hrv^7UAUqNGwEf{j93E1_nD;&QiO)2ab#N!0n$l!YzKic#
zYf2UAgxO-Gd@WDTUwjdkD16$!`SxTUPpnU+DT%d4EO+^n{XGRcmr&Y^O`k&GBuxBB
zVZL|0b?P`fgQ_*|(cN=RFl>>@LS0h_t?AICixP59L1EFgyCXL}!Z3VpR+qNxM$pqG
zu;a8;2{dW1Et)72M_2k7YTeVPziN1nU41<C%x)|2vA;l;TP)Sv_eHw;V)ASB)Dcf_
zNVQan3}h<R4J<}0Zj7w-qn|!;xgV0xo>kh<$=@Vy$+9Znp*xwtyhNowCB)+F+((Te
zhp(N~Rd1rWH{mEB7krN>nWwa@LXAEA213Y@^Dx)%Ua=M(_8VFARj?;KT`Gwkj2-Ux
zHF+$SV()R~In42_8UILIO#>a9@)m-Q@+sVV$rOrO7b2yvean>^<k_9UMz`CpZ|=IK
zy#|Zw&%AG&Cf*$Wl<i78uu#a@gUO9x<Y~#pJ6(8*7E_5|YpT(d6`Q^Ss^*tF;bvHB
z9%*(zTQ%Vwj4L7%OBzk@)bTo66dS2a`&z5uw3uF^pqt<YjsYX%lBxhDHXaD)@<d%O
zJ}tfN^&LhM{jr`rfsM?g(eGNK$Kb1QbzDBqrqQC%q`S>LQ9+85RVq>a_(sjU(~Gm%
zCC0h!aVCv~WW2+J<id5GkEBgg>5sg4$!&$wfhYqq;gJ!}j-X)8;@VG6+!Ze*CV+q5
zcbtrQw&FJa5q`a@>_!9Tl8wn`?^{MzPY(4at--gJIn*a7LU?W;$zelKJYB|T)^G4{
z+;B9CG+-?0#w07+ARZxy{PES=7mnp{xz)|l870cxFJLsP6*ZG@%0!hwjipknY|30Y
zRAqx`BUPT}Go{2EnB|4BF*a%%8gqWS>q(@}gPzfqNtB;KtACOIB0pxiEkDyj??Zvs
zhj*?Y+u<YEvsoD6Fy@1o<Y<$FvTsnDif?3JVNlL71XJ?f0U+nW8o`j)q93nnk2;@f
zB1^7>m@~ySe&zBE{t-pf#+s|+$>t-x>)3rGgI?HYkom@rJ=t!~kMC7c6`_Hj=gpt<
zU!ayHtdC?AC^;Jrzjx=BlF+fpICkZt^x3HDtOklr;bP0KQk$vi%yEk)-r9|69zg-0
z)GMOf-}^JB1_nGy+WF3<LpsKe-H!>$_a!|yDs3-5QjbrUd{24CT}=DKm#iq(JiDH6
zft|;=zi_4DTncP`-SpEQ@~1W<wg^=d%e5OTlDZNOzB}mk@VjLe5|hQE-2$Ouea9Dc
zOfJou%|}NLWak{eL6kg0A2-UT#mk4=((~1dn>bq;%nmXyV!!66)c&aaa{k(N^?P~T
znf`iKa|I95@4*K+S%=1Ey<k&g5l;y|J#lL#iQX{f@x%P%t)c#TmKHQjPbw0-uO~*V
z>78tqOBGylNT|L#qKmmy5&7{_+Upz|WmMeQ5NGOQu@WL%sr<fD%OXh41*B#{-)7RX
zT<K;!>f6>feM<Mpv?mFn5F+O$uVbfDP0s&H{LFf=ljP^3O(TC(2ft?=8SLZrt9tBA
z(QV)DLcnERB|3*1TKi;am)bF;7TRm49krMFtC{JzP7Y*K60j`QEcPtb#@#O<hsWCl
z{l&F|&V)1vd!OzVsfQd2eEqS1%i3Xc_a)9c)01>(t=I!(mVkZgUZ1%tamUz1&I(l}
zkM7K<@$#KHG2>@lNV^PO@_HVq>b=?KIWteKxjvYoC#AYLRhH#<<@iDurhyo|_$@y6
zR%-sXWrmP@uG+#)moKvRN;p3RHh09h)${hSM`NFGDOr25aoxIrlX0EFOdpR<^8K!a
zSk3#DKSWxMYF~wvq?`u+YGv}m>BHh`e!Lhr$FMOt4d<bFE<l|?>E=3OYBF+2j;<_+
z?AzirOL;(|aFIULc+unqOu4;sgz>DIa9BZjR7AZ&T(2~*<mjE=SKAM2j0mESOVd7K
zIk8|(o%IdyiW3F45BDUg8%#KCbfcbE@PV^mY6Jdu!>y0kQl}`nrXG3?hcop%g3@*8
zmD^2vO>Dbf=$4VnRR`a1L%*taml)G!l=?h!yy2UEG2Q2eMl%4xS_tDLU*UL8kt=&O
zWa2Xp%@xVcIy<1)%hR(WQCsaWdkbx)xUn;pmg*kmsg9L3!}&JZE9}g=jF0TxPd|Qd
zR%$miH`lNBM{m^k+|E_?T*-S=c@@-_m<nr@f=*b7bdBSj`jAWK-0hyY!P~<IC3v1=
zA{?p3afgpKX$4KaGpA>Nvd-XM)PB=D<s>^t3|G+^&92bJuS1U_*Ipm$9fONFDu<mm
zzHe;#OuKl#fUD5Rcu2UBrHpqtw@?f9<+gej*SYlSp~q$|7$<6Wn1^@cV&h~gI}9T(
zrzkGF{?N{Fw!Q0~IIoNwKM7=`a#%CrTmC)H)|#%(8`Er=S?F7lG}G8pkbZV_)3xP<
z8saetshFU9A2rUL>78Irw#fS+_}=Y{D}#Fsp~%3E=>CO~x;TOQ^|M@e;<)74LUrew
z(sFQ1@!U*Do`Al_S2^qOVYv(Ey1(0(t~Vv6D>;G^Y&mXTZ;PnTKNFdveBzuU9@^V;
z`txFWX{}hZT7Zsm`<pNhg{O1XONAdl=NDU77V5Pjn`V>Ubej0m<JTq`l?KN;Ya8`q
zOgm_?#Xou({C2*yg)fy##Ly{h1rmDSrbZ*V#aeYr$yv(j(_U7VcF!RWpGhEBrPkWU
zwlKAGsGfFEsB@z#HHn}OX>@p$rBwCCJmIL(y46evtK<4~B8B*mHW7a6(5$#F1Jj5R
zU4ar7(d>smZrCXuF@BJL+vbrt_}IfDuaaXtkIQTN1NcWAG*yn$a~1|s@`;?PA6pmd
zT<W{&9Q&lxVNQ8Slf|SW9JqT}UVNvz+)!tL${VHRUcC{CZn(3NFsd2Km{~Ko^WxoT
zc1K*P%k1Dyc%$d2uA>WuqHpXi3C2QPi&5l5&L?MAq91QfBxv~t4)-<DyGchpAB~2w
zk)@2`LU$M)yYH@#jSqBno0!X)x<F_y9X1Vj)=j<c`Kd3dgSm56e{0@F=lOX#oX<mq
zQ2fAyl$YIIBAYJ_1Ril$c+6)e7~M_FQ2L<HGjlmi=HdIyrk9<CbYCZ_yc<L*S;S(>
zUVS4CGR@SoDKPIyI2~0vH3aSxBA~`kj2#VX+ssF}jtU?1H0>zVsl@cgl<9H}iKI&h
zKGpQ~6nNk|QLi}lq(b2h%6m9Ws@!)7uGxa!iC+yLzi_$x1BKPs`z?BWjTMJDT9ucI
z6Rr$?n)lasVQTu+q$PW6<>KMfos6gZx`P7p-t(}>F$4(v>8;qwo{x`FcPZwKg1k(U
zr`oazy;tYh-i>j$a@TTqb9Zsq*Gnv0P$@j}-unY9K~=@^j`($f8a0^(R%eUXqI6=<
z`n(7X_TQpsNWRyi5)MU6$>-78a`%_oxu5H9?eKV1JS0>v9>E`3TKe=*fP=-WyoJ>G
zWn#Zae!hjA*h07ZCV5|To%;2zQ1b3b@^0p9VN%1|UykdDPMq*Bu>4GxuwqD_Or<Cv
z#hqD|v)N<iq+rH(tv>51Qd)kcnLn|N)-a@zPNbNqC+c@KpWkc9(1ce_*@yW-Uk5;p
zU`hqeuW#$mQi!;yqXy5zpBxAIp+;P97aEkZ26~^0DGu(_7|LV6$|<H6YsTfQ_R1>d
z3+=0(I2}9E(JS2Ka#Zpg@`H~GSY5yAe0-i#2g@x%<<cq6kQdCCYu_<{F1Qo*;{F?h
zqPhAp%)*7vF}E1Z%Nhx2<FV|OnkqlZMNWDyl8`Nb!cJ59V&8jXrks(bD*Fy%ZM)U<
zRITF9ww!6d#`gHDSm3u`zK&<+l%{QrdZ?a-$+>+8eyRJGb+s_=sdjX8qwr4s*ds2|
z+t{zKZ}B$qp43~3J~_>s`vWUwER#{a5OC93MSY`I<Kj%fwsur}&>{PH3g?;2iJkh!
zn~s&vNBHgu@d_2U>*c9ZZ}7Tm9hR=e@|?J7NVBy3ozu@YWwZW#)@_4#%CuL#sVoQ2
zB$eOfy>`nbdMJlE3>yEDn|AU0B8kse|IS#rEr*>4((oac4^3aYb`vRCu6wv+Vj}QC
zd&z9t%TEtWSMpL~Um_Hbnpwe~TylPA^_@`gl`VWSsl4I5b)%xP!1@A>ChN;U9^sHV
zr=;HWt=t@Zu2#QOK*@SR&y-Pr^KdNDGIR{Z2xpR|qCtQd`;SOubQ$Gh;&P@B%eJs?
zCUB)uE@_{xc}JpQP`Y~EDIrnL-+)AUi9zr(L+B-jqpL_v&09#f6-h0SA#r_gAd(iq
z@YLB!)7y-6BqnPrt4>;wJ9}}IIqVJ}mi4+iYq&2f?YGQ&l_$4jZY4V)TC*0zu0mNJ
z*dh34Vcqp29ARxy&l60VoUV73kn_)qGaD&fbBZP#BD38M4a1!}am$d7u%ex4w<|a!
zHNU8@6C2IBtLnmZ;bcvKIOs>@xq_ChMFHe{juGmz)yKOkG}-yk<QI9BAZeKepD)r*
zxB6EfD_30(YSwk^d;v2bP<iYtxYez6QPrGo_mx=^KD_vIYSsF4jX7#xcAgi$jY(M~
zbZq81z3Z6lvzZYP$?%;D8fP{$aLlIHAhpirmGnuGogYS2HF1wfyPHnnvsp`vA={3!
zJ9I6W(Xvbi2@HB?rb&M5ZS=RzT4BeT+JIB9cHh<QHZ(hzkxDhLNkz7<%S6etKYPGl
zSmQ8zy-Hk4(dCnnj?^a^xv`p!X|^%CmR*{L7#iDuVK(h?Y<^;zq#+2I|1g{WNxb=g
zGn+74XEAyj;>uolTi3rxO#l%Gz&ZU*4+0@jzqmQ)2*&Psdx8TNj6nagsN=o7iK<Sv
zUI3Q};Of}^WAHbg31A!TqZREvdyvc{{d+!FBG&6Cg@}k%!~Tq=paAkFdSPwdK>lPG
z;_BT=U}m+YOO3}9RVg=)@f#NieCt9zOk}Dnc^2oa<Z@|wf+IXp`}AUP>P5&YMZcvC
zzr&l!As?ajbJaqY4cgSUb*&c%%55^VeiS(42I5!fzm6n$eBR<z(x$Gfg+CD-o?OO}
zt~O@}#h>xI975V2HGN=hzg2%Mh`c_DJj%Z2vud;c=@ZM5nX>6YDbLR4?yyuy2)t8I
zbvmAmDXCO*iz~kyr^TOCZON)i*fp1fL<c@`OFDHzP273sBWwAk730=IwJO~)Rf+Q;
z>Db4{jm)pF`CKM*M|iOOi_m*%*-I4+2LCPdPceR{?{As^mg|>%zhF=QuI^976XKWO
z9^naOA%TMJ5uVThiE0mE1%)90cfykl1PPYf3x@@mUlK4V3@oK;>!FFoJ30|TXebJR
zgb}fBCcw%8(2}hK-rezMahUz`03)FQ_(|E<@n?Mig#?U#Q=NVV|C{OrLhK>8_EDYo
z48J%37uD$}+so*0suKbYtVkXIe;1OtsF*Hx(#FZg24|z$p?k{a5JeLuSSUI3Y%29^
z#UXrAbl)ph+PhOsaj4gaKuWW^SIf24-L<Ha_{ef(yjBx!SCL8z7VdTc8TPuIQjLn0
zox9k%ZEA2)u!X`7$Y4ARTw6(*t)M`m`GJ-7LBl9rx&B~0o{gj&E}!H;*@MBPaJq8l
zLQ0?zC@o|Te)W~oRkjwI(xHw!#&^G-63v`=FMdOi#>~0fp4*&x#<k9P#kzK9i_K<I
zg#6)b=mOQeeZ`Lt&6B6<mKWYW79*psq&HKHv$3N9LCr&|q7BTCXL0*q6^K+)c*B-W
zpAGH@ONuj-+XwUJD;XFXuxUbIC6Fyc8-?ZO;N&UvHS*VFSz=%t2j-A@M|)<R&GHKU
z#)|h_-&1XvH{CvMomwjlWMbrp^r5PE|18p<`QOt74n_VhQs_TqI)^8^V!<N1czZ8`
zHvvZkn-aVnz!G360)l`+txd6ZV62uJ*w)>_4eMfyCwgOvK+WLYe7vy^)-q_cH88R!
z67X)44g`CDQIM2@7s0{D9%vIHZnpONXTc^|FK;}-9jIDKC{hv)wiHqE!Mi$up)#6C
z7{XE%Z0KX_MGOENsHv+0jScHh6a`8a=qN;j7f57pHNVHeENZqyV6kelFbE6^K|qmE
zC>#z$pNBw%fj8i%OK|wVT|hv;`ir9H?}fzyggGP>1RScrUSJdw2}go);9oX0LIw^b
zYwrbi|H}qJprHWKZNCkTMgds4{Wb_>k5jkbhCs>u@hn0b;N>0gL!)89eX;-9pQHUY
zVEe#v+HXT5q-B6}_|yA8YyLUfZv$G13~*EZS3fk+cMh%(hC)JsTj#$%3ze1uKynBC
z(9-{s0~u+cneLwtjfVV@E41_;mvFzIGz9fW3~4yf2KV~`xk4V)5(<?@9-I#fMZyo}
z9`FNh&;#?qAbZTgeQN>s3qQCIs0;$}M_d``AGHDa!T$6^{SgDu4SjHLFbGoSpdP>x
z`BOIt61YV6uNl||{7-!m(tpH2Ly-q-4TeViu@9jB&<E!O4i)TRt^k1I9~uF*hBz1(
z2!TAP2O2H|oYMXK0Q~;Y4VVpba4o=@hW;bZL@!&sE7l7nFAv;|_y8=>55Q7J1OgGf
zr^X(SP|F=h0RR511`sXfv9?ek7#wF0funGC($c^QhNB=Th&@im0SAL36hQyo<=2-k
XZz9n9el{XBaPz`JLPBTs)j|IQPi<*H

literal 0
HcmV?d00001

diff --git a/example/src/main/resources/static/index.html b/example/src/main/resources/static/index.html
index 439d7b9..c060f41 100644
--- a/example/src/main/resources/static/index.html
+++ b/example/src/main/resources/static/index.html
@@ -43,31 +43,45 @@ <h4>Table of contents</h4>
             <hr/>
             <h3><a id="usage"></a>Usage</h3>
             <p>
-                Instructions for installing and testing in Firefox, Chrome or Edge (support for Safari has been already
-                added as well, but it is not yet published):
+                Instructions for installing and testing version 1.0.0-rc1 in Firefox, Chrome, Edge or Safari:
             </p>
             <ol>
                 <li>
                     Download and run the Web eID native app and browser extension installer:
                     <ul>
-                        <li>for Ubuntu Linux 20.04 from <a
-                                href="https://github.com/web-eid/web-eid-app/releases/download/0.9.4/web-eid_0.9.4.141_amd64.deb">here</a>,
+                        <li>for Firefox and Chrome on Ubuntu Linux 20.04 from <a
+                                href="https://github.com/web-eid/web-eid-app/releases/download/1.0.0-rc1/web-eid_1.0.0.354_amd64.deb">here</a>,
                             install it with either the Ubuntu Software Center or from the console with<br>
-                            <code>sudo apt install ./web-eid_0.9.4.141_amd64.deb</code>
+                            <code>sudo apt install ./web-eid_1.0.0.354_amd64.deb</code>
                         </li>
-                        <li>for macOS 10.13 or later from <a
-                                href="https://github.com/web-eid/web-eid-app/releases/download/0.9.4/web-eid-0.9.4.141.pkg">here</a>
+                        <li>on macOS 10.15 or later,
+                            <ul>
+                                <li>
+                                    for Firefox from <a
+                                        href="https://github.com/web-eid/web-eid-app/releases/download/1.0.0-rc1/web-eid-firefox_1.0.0.354.pkg">here</a>,
+                                </li>
+                                <li>
+                                    for Chrome from <a
+                                        href="https://github.com/web-eid/web-eid-app/releases/download/1.0.0-rc1/web-eid-chrome_1.0.0.354.pkg">here</a>;
+                                </li>
+                                <li>
+                                    Safari extension is also available from <a
+                                        href="https://github.com/web-eid/web-eid-app/releases/download/1.0.0-rc1/web-eid-safari_1.0.0.354.pkg">here</a>,
+                                    but it is not yet signed, so it is not currently possible to enable it; a signed
+                                    release will be available shortly.
+                                </li>
+                            </ul>
                         </li>
-                        <li>for Windows 10 from <a
-                                href="https://github.com/web-eid/web-eid-app/releases/download/0.9.4/web-eid-0.9.4.141.x64.msi">here</a>.
+                        <li>for Firefox, Chrome and Edge on Windows 10 (64-bit) from <a
+                                href="https://github.com/web-eid/web-eid-app/releases/download/1.0.0-rc1/web-eid_1.0.0.354.x64.qt.msi">here</a>.
                         </li>
                     </ul>
                 </li>
                 <li>
                     The installer will install the browser extension for all supported browsers automatically.
                     The extension must be manually enabled from either the extension installation pop-up that appears in
-                    the browser
-                    or from the browser extensions management page and may need browser restart under certain
+                    the browser or from the browser extensions management page and may need browser restart under
+                    certain
                     circumstances.
                 </li>
                 <li>
@@ -84,6 +98,9 @@ <h3><a id="usage"></a>Usage</h3>
                 <button id="webeid-auth-button" class="btn btn-info">Authenticate</button>
             </p>
 
+            <p>The privacy policy of the test service is available <a href="/files/Web eID privacy policy.pdf">here</a>.
+            </p>
+
             <hr/>
             <h4>Uninstallation</h4>
 
@@ -117,6 +134,21 @@ <h4>Debugging and logs</h4>
                     logs in the <i>Console</i> tab, put breakpoints in extension code in the <i>Debugger</i> tab
                     and inspect extension network communication in the <i>Network</i> tab.
                 </li>
+                <li>
+                    To enable logging in the extension companion native app,
+                    <ul>
+                        <li>in Linux, run the following command in the console:<br>
+                            <code>echo 'logging=true' > ~/.config/RIA/web-eid.conf</code>
+                        </li>
+                        <li>in macOS, run the following command in the console:<br>
+                            <code>defaults write eu.web-eid.web-eid logging true</code>
+                        </li>
+                        <li>in Windows, add the following registry key:<br>
+                            <code>[HKEY_LOCAL_MACHINE\SOFTWARE\RIA\web-eid]</code><br>
+                            <code>"logging"="true"</code>
+                        </li>
+                    </ul>
+                </li>
                 <li>
                     The native app logs are stored in
                     <ul>

From ca6b814d3a23c3d2900abb65f29c59e5864836e3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mart=20S=C3=B5mermaa?= <mrts.pydev@gmail.com>
Date: Thu, 6 May 2021 14:47:58 +0300
Subject: [PATCH 026/116] doc: make OS name bold

---
 example/src/main/resources/static/index.html | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/example/src/main/resources/static/index.html b/example/src/main/resources/static/index.html
index c060f41..f5aee18 100644
--- a/example/src/main/resources/static/index.html
+++ b/example/src/main/resources/static/index.html
@@ -49,12 +49,12 @@ <h3><a id="usage"></a>Usage</h3>
                 <li>
                     Download and run the Web eID native app and browser extension installer:
                     <ul>
-                        <li>for Firefox and Chrome on Ubuntu Linux 20.04 from <a
+                        <li>on <b>Ubuntu Linux</b> 20.04, for Firefox and Chrome from <a
                                 href="https://github.com/web-eid/web-eid-app/releases/download/1.0.0-rc1/web-eid_1.0.0.354_amd64.deb">here</a>,
                             install it with either the Ubuntu Software Center or from the console with<br>
                             <code>sudo apt install ./web-eid_1.0.0.354_amd64.deb</code>
                         </li>
-                        <li>on macOS 10.15 or later,
+                        <li>on <b>macOS</b> 10.15 or later,
                             <ul>
                                 <li>
                                     for Firefox from <a
@@ -72,7 +72,7 @@ <h3><a id="usage"></a>Usage</h3>
                                 </li>
                             </ul>
                         </li>
-                        <li>for Firefox, Chrome and Edge on Windows 10 (64-bit) from <a
+                        <li>on <b>Windows</b> 10 (64-bit), for Firefox, Chrome and Edge from <a
                                 href="https://github.com/web-eid/web-eid-app/releases/download/1.0.0-rc1/web-eid_1.0.0.354.x64.qt.msi">here</a>.
                         </li>
                     </ul>

From 6b8c9a711d114f23b11935818e46af478bc3909a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mart=20S=C3=B5mermaa?= <mrts.pydev@gmail.com>
Date: Mon, 10 May 2021 16:54:47 +0300
Subject: [PATCH 027/116] docs(index.html): add command for turning on Safari
 extension logging

---
 example/src/main/resources/static/index.html | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/example/src/main/resources/static/index.html b/example/src/main/resources/static/index.html
index f5aee18..81091fa 100644
--- a/example/src/main/resources/static/index.html
+++ b/example/src/main/resources/static/index.html
@@ -141,7 +141,8 @@ <h4>Debugging and logs</h4>
                             <code>echo 'logging=true' > ~/.config/RIA/web-eid.conf</code>
                         </li>
                         <li>in macOS, run the following command in the console:<br>
-                            <code>defaults write eu.web-eid.web-eid logging true</code>
+                            <code>defaults write eu.web-eid.web-eid logging true</code><br>
+                            <code>defaults write eu.web-eid.web-eid-safari logging true</code>
                         </li>
                         <li>in Windows, add the following registry key:<br>
                             <code>[HKEY_LOCAL_MACHINE\SOFTWARE\RIA\web-eid]</code><br>

From f7382a45e1d58231c39a2ecb494b60fbbe30751e Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Tue, 1 Jun 2021 13:10:45 +0300
Subject: [PATCH 028/116] doc: HKEY_CURRENT_USER, not HKEY_LOCAL_MACHINE

---
 example/src/main/resources/static/index.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/example/src/main/resources/static/index.html b/example/src/main/resources/static/index.html
index 81091fa..90352bb 100644
--- a/example/src/main/resources/static/index.html
+++ b/example/src/main/resources/static/index.html
@@ -145,7 +145,7 @@ <h4>Debugging and logs</h4>
                             <code>defaults write eu.web-eid.web-eid-safari logging true</code>
                         </li>
                         <li>in Windows, add the following registry key:<br>
-                            <code>[HKEY_LOCAL_MACHINE\SOFTWARE\RIA\web-eid]</code><br>
+                            <code>[HKEY_CURRENT_USER\SOFTWARE\RIA\web-eid]</code><br>
                             <code>"logging"="true"</code>
                         </li>
                     </ul>

From 15d3992985179afccf96b6c4c90af456285e4e38 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Tue, 1 Jun 2021 13:51:32 +0300
Subject: [PATCH 029/116] doc: add link to project website

---
 example/README.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/example/README.md b/example/README.md
index fdf3022..9b98191 100644
--- a/example/README.md
+++ b/example/README.md
@@ -5,6 +5,8 @@
 Example Spring Boot web application that uses Web eID for strong authentication
 and digital signing with electronic ID smart cards.
 
+More information about the Web eID project is available on the project [website](https://web-eid.eu/).
+
 ## Setup
 
 Note that although the browser considers localhost to be a secure context, it does not have a certificate,

From cfe7fe1cf23cd96a4df8a5c9441e310d903bbf28 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Fri, 11 Jun 2021 13:51:10 +0300
Subject: [PATCH 030/116] release(html): web-eid-app release 1.0.0-rc2

---
 example/src/main/resources/static/index.html | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/example/src/main/resources/static/index.html b/example/src/main/resources/static/index.html
index 90352bb..19c2de0 100644
--- a/example/src/main/resources/static/index.html
+++ b/example/src/main/resources/static/index.html
@@ -43,37 +43,37 @@ <h4>Table of contents</h4>
             <hr/>
             <h3><a id="usage"></a>Usage</h3>
             <p>
-                Instructions for installing and testing version 1.0.0-rc1 in Firefox, Chrome, Edge or Safari:
+                Instructions for installing and testing version 1.0.0-rc2 in Firefox, Chrome, Edge or Safari:
             </p>
             <ol>
                 <li>
                     Download and run the Web eID native app and browser extension installer:
                     <ul>
                         <li>on <b>Ubuntu Linux</b> 20.04, for Firefox and Chrome from <a
-                                href="https://github.com/web-eid/web-eid-app/releases/download/1.0.0-rc1/web-eid_1.0.0.354_amd64.deb">here</a>,
+                                href="https://github.com/web-eid/web-eid-app/releases/download/1.0.0-rc2/web-eid_1.0.0.511_amd64.deb">here</a>,
                             install it with either the Ubuntu Software Center or from the console with<br>
-                            <code>sudo apt install ./web-eid_1.0.0.354_amd64.deb</code>
+                            <code>sudo apt install ./web-eid_1.0.0.511_amd64.deb</code>
                         </li>
                         <li>on <b>macOS</b> 10.15 or later,
                             <ul>
                                 <li>
                                     for Firefox from <a
-                                        href="https://github.com/web-eid/web-eid-app/releases/download/1.0.0-rc1/web-eid-firefox_1.0.0.354.pkg">here</a>,
+                                        href="https://github.com/web-eid/web-eid-app/releases/download/1.0.0-rc2/web-eid-firefox_1.0.0.511.pkg">here</a>,
                                 </li>
                                 <li>
                                     for Chrome from <a
-                                        href="https://github.com/web-eid/web-eid-app/releases/download/1.0.0-rc1/web-eid-chrome_1.0.0.354.pkg">here</a>;
+                                        href="https://github.com/web-eid/web-eid-app/releases/download/1.0.0-rc2/web-eid-chrome_1.0.0.511.pkg">here</a>;
                                 </li>
                                 <li>
                                     Safari extension is also available from <a
-                                        href="https://github.com/web-eid/web-eid-app/releases/download/1.0.0-rc1/web-eid-safari_1.0.0.354.pkg">here</a>,
+                                        href="https://github.com/web-eid/web-eid-app/releases/download/1.0.0-rc2/web-eid-safari_1.0.0.511.pkg">here</a>,
                                     but it is not yet signed, so it is not currently possible to enable it; a signed
                                     release will be available shortly.
                                 </li>
                             </ul>
                         </li>
                         <li>on <b>Windows</b> 10 (64-bit), for Firefox, Chrome and Edge from <a
-                                href="https://github.com/web-eid/web-eid-app/releases/download/1.0.0-rc1/web-eid_1.0.0.354.x64.qt.msi">here</a>.
+                                href="https://github.com/web-eid/web-eid-app/releases/download/1.0.0-rc2/web-eid_1.0.0.511.x64.qt.msi">here</a>.
                         </li>
                     </ul>
                 </li>

From 8a6b579db40a5c08fd465d2bba35d9e9d21b8237 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Mon, 12 Jul 2021 14:23:30 +0300
Subject: [PATCH 031/116] conf: forward HTTPS information from reverse proxy to
 Tomcat so that it can apply security settings

---
 example/src/main/resources/application.properties | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/example/src/main/resources/application.properties b/example/src/main/resources/application.properties
index cbb42d2..d1c337f 100644
--- a/example/src/main/resources/application.properties
+++ b/example/src/main/resources/application.properties
@@ -1 +1,8 @@
 spring.profiles.active=dev
+# Make session cookie secure behind a reverse proxy, see
+# - https://docs.spring.io/spring-boot/docs/2.2.5.RELEASE/reference/htmlsingle/#howto-use-behind-a-proxy-server
+# - https://docs.spring.io/spring-boot/docs/2.2.5.RELEASE/reference/htmlsingle/#howto-enable-https
+server.forward-headers-strategy=native
+server.tomcat.remote-ip-header=x-forwarded-for
+server.tomcat.protocol-header=x-forwarded-proto
+# server.servlet.session.cookie.secure=true -- implicit when HTTPS is detected

From 940e318827006c9cca5d537484af4a1e13d05779 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Tue, 13 Jul 2021 18:07:20 +0300
Subject: [PATCH 032/116] feat(config): add SameSite cookie configuration

---
 .../config/SameSiteCookieConfiguration.java   | 20 +++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 example/src/main/java/org/webeid/example/config/SameSiteCookieConfiguration.java

diff --git a/example/src/main/java/org/webeid/example/config/SameSiteCookieConfiguration.java b/example/src/main/java/org/webeid/example/config/SameSiteCookieConfiguration.java
new file mode 100644
index 0000000..2183a9f
--- /dev/null
+++ b/example/src/main/java/org/webeid/example/config/SameSiteCookieConfiguration.java
@@ -0,0 +1,20 @@
+package org.webeid.example.config;
+
+import org.apache.tomcat.util.http.Rfc6265CookieProcessor;
+import org.springframework.boot.web.embedded.tomcat.TomcatContextCustomizer;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+
+@Configuration
+public class SameSiteCookieConfiguration implements WebMvcConfigurer {
+
+    @Bean
+    public TomcatContextCustomizer configureSameSiteCookies() {
+        return context -> {
+            final Rfc6265CookieProcessor cookieProcessor = new Rfc6265CookieProcessor();
+            cookieProcessor.setSameSiteCookies("strict");
+            context.setCookieProcessor(cookieProcessor);
+        };
+    }
+}

From 27c2185b5c2b541a37a75c2ca92dd0d46fc42616 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Tue, 13 Jul 2021 18:19:51 +0300
Subject: [PATCH 033/116] doc: document HTTPS support

---
 example/README.md | 67 ++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 60 insertions(+), 7 deletions(-)

diff --git a/example/README.md b/example/README.md
index 9b98191..d775432 100644
--- a/example/README.md
+++ b/example/README.md
@@ -7,15 +7,68 @@ and digital signing with electronic ID smart cards.
 
 More information about the Web eID project is available on the project [website](https://web-eid.eu/).
 
-## Setup
+## HTTPS support
 
-Note that although the browser considers localhost to be a secure context, it does not have a certificate,
-therefore you need to use e.g. Ngrok.io for local testing.
+There are two ways of adding HTTPS support to a Spring Boot application:
 
-Download ngrok and run locally using two parameters:
-```sh
-ngrok http 8080
-```
+1. enable HTTPS support directly in the bundled Tomcat server by configuring
+   the `server.ssl.*` properties,
+
+2. use a reverse proxy server that handles TLS termination and communicates
+   with the Spring Boot application over a local HTTP socket.
+
+The first approach is straightforward and documented in the [official documentation](https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#howto.webserver.configure-ssl).
+
+The second approach, running behind a reverse proxy, is common in enterprise
+deployments and the configuration is more involved. We assume this setup in the
+current project and document it in this section.
+
+Enabling HTTPS support when running behind a reverse proxy server requires
+configuration of both the proxy server and the Spring Boot application.
+
+The proxy server must pass the `Host:` line from the incoming request to the
+proxied application and set the `X-Forwarded-*` headers to inform the
+application that it runs behind a reverse proxy. Here is example configuration
+for the Apache web server:
+
+    <Location />
+        ProxyPreserveHost On
+        ProxyPass http://localhost:8380/
+        ProxyPassReverse http://localhost:8380/
+        RequestHeader set X-Forwarded-Proto https
+        RequestHeader set X-Forwarded-Port 443
+    </Location>
+
+The Spring Boot application turns on proxied HTTPS support in the bundled
+Tomcat web server automatically if it detects the presence of the
+`X-Forwarded-*` headers and the following settings are configured in
+`application.properties`:
+
+    server.forward-headers-strategy=native
+    server.tomcat.remote-ip-header=x-forwarded-for
+    server.tomcat.protocol-header=x-forwarded-proto
+
+These settings are already enabled in the default
+[`application.properties`](src/main/resources/application.properties). See
+chapter
+[9.3.12](https://docs.spring.io/spring-boot/docs/2.2.5.RELEASE/reference/htmlsingle/#howto-use-behind-a-proxy-server)
+and
+[9.14.3](https://docs.spring.io/spring-boot/docs/2.2.5.RELEASE/reference/htmlsingle/#howto-enable-https)
+in the official documentation for further details.
+
+### How to verify that HTTPS is configured properly
+
+When HTTPS support is configured properly, all responses will have the HTTP
+Strict Transport Security (HSTS) header and the `JSESSIONID` session cookie has
+`Secure` attribute set.
+
+### Using a HTTPS proxy during development
+
+Use e.g. [_ngrok_](https://ngrok.com/) during development to get a reverse
+proxy with a trusted HTTPS certificates. Download _ngrok_ and run it locally by
+providing the protocol and Spring Boot application port as follows:
+
+    ngrok http 8080
 
 ## Configuration
 

From d207c18e6e8005bcd37517b3fa00612c6428512b Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Thu, 15 Jul 2021 12:37:10 +0300
Subject: [PATCH 034/116] css: load Bootstrap CSS from resources instead of CDN

---
 example/src/main/resources/static/css/bootstrap.min.css    | 7 +++++++
 example/src/main/resources/static/index.html               | 3 +--
 .../templates/welcome-with-file-upload-support.html        | 3 +--
 example/src/main/resources/templates/welcome.html          | 3 +--
 4 files changed, 10 insertions(+), 6 deletions(-)
 create mode 100644 example/src/main/resources/static/css/bootstrap.min.css

diff --git a/example/src/main/resources/static/css/bootstrap.min.css b/example/src/main/resources/static/css/bootstrap.min.css
new file mode 100644
index 0000000..7d2a868
--- /dev/null
+++ b/example/src/main/resources/static/css/bootstrap.min.css
@@ -0,0 +1,7 @@
+/*!
+ * Bootstrap v4.5.0 (https://getbootstrap.com/)
+ * Copyright 2011-2020 The Bootstrap Authors
+ * Copyright 2011-2020 Twitter, Inc.
+ * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
+ */:root{--blue:#007bff;--indigo:#6610f2;--purple:#6f42c1;--pink:#e83e8c;--red:#dc3545;--orange:#fd7e14;--yellow:#ffc107;--green:#28a745;--teal:#20c997;--cyan:#17a2b8;--white:#fff;--gray:#6c757d;--gray-dark:#343a40;--primary:#007bff;--secondary:#6c757d;--success:#28a745;--info:#17a2b8;--warning:#ffc107;--danger:#dc3545;--light:#f8f9fa;--dark:#343a40;--breakpoint-xs:0;--breakpoint-sm:576px;--breakpoint-md:768px;--breakpoint-lg:992px;--breakpoint-xl:1200px;--font-family-sans-serif:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Helvetica Neue",Arial,"Noto Sans",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";--font-family-monospace:SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",monospace}*,::after,::before{box-sizing:border-box}html{font-family:sans-serif;line-height:1.15;-webkit-text-size-adjust:100%;-webkit-tap-highlight-color:transparent}article,aside,figcaption,figure,footer,header,hgroup,main,nav,section{display:block}body{margin:0;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Helvetica Neue",Arial,"Noto Sans",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";font-size:1rem;font-weight:400;line-height:1.5;color:#212529;text-align:left;background-color:#fff}[tabindex="-1"]:focus:not(:focus-visible){outline:0!important}hr{box-sizing:content-box;height:0;overflow:visible}h1,h2,h3,h4,h5,h6{margin-top:0;margin-bottom:.5rem}p{margin-top:0;margin-bottom:1rem}abbr[data-original-title],abbr[title]{text-decoration:underline;-webkit-text-decoration:underline dotted;text-decoration:underline dotted;cursor:help;border-bottom:0;-webkit-text-decoration-skip-ink:none;text-decoration-skip-ink:none}address{margin-bottom:1rem;font-style:normal;line-height:inherit}dl,ol,ul{margin-top:0;margin-bottom:1rem}ol ol,ol ul,ul ol,ul ul{margin-bottom:0}dt{font-weight:700}dd{margin-bottom:.5rem;margin-left:0}blockquote{margin:0 0 1rem}b,strong{font-weight:bolder}small{font-size:80%}sub,sup{position:relative;font-size:75%;line-height:0;vertical-align:baseline}sub{bottom:-.25em}sup{top:-.5em}a{color:#007bff;text-decoration:none;background-color:transparent}a:hover{color:#0056b3;text-decoration:underline}a:not([href]){color:inherit;text-decoration:none}a:not([href]):hover{color:inherit;text-decoration:none}code,kbd,pre,samp{font-family:SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",monospace;font-size:1em}pre{margin-top:0;margin-bottom:1rem;overflow:auto;-ms-overflow-style:scrollbar}figure{margin:0 0 1rem}img{vertical-align:middle;border-style:none}svg{overflow:hidden;vertical-align:middle}table{border-collapse:collapse}caption{padding-top:.75rem;padding-bottom:.75rem;color:#6c757d;text-align:left;caption-side:bottom}th{text-align:inherit}label{display:inline-block;margin-bottom:.5rem}button{border-radius:0}button:focus{outline:1px dotted;outline:5px auto -webkit-focus-ring-color}button,input,optgroup,select,textarea{margin:0;font-family:inherit;font-size:inherit;line-height:inherit}button,input{overflow:visible}button,select{text-transform:none}[role=button]{cursor:pointer}select{word-wrap:normal}[type=button],[type=reset],[type=submit],button{-webkit-appearance:button}[type=button]:not(:disabled),[type=reset]:not(:disabled),[type=submit]:not(:disabled),button:not(:disabled){cursor:pointer}[type=button]::-moz-focus-inner,[type=reset]::-moz-focus-inner,[type=submit]::-moz-focus-inner,button::-moz-focus-inner{padding:0;border-style:none}input[type=checkbox],input[type=radio]{box-sizing:border-box;padding:0}textarea{overflow:auto;resize:vertical}fieldset{min-width:0;padding:0;margin:0;border:0}legend{display:block;width:100%;max-width:100%;padding:0;margin-bottom:.5rem;font-size:1.5rem;line-height:inherit;color:inherit;white-space:normal}progress{vertical-align:baseline}[type=number]::-webkit-inner-spin-button,[type=number]::-webkit-outer-spin-button{height:auto}[type=search]{outline-offset:-2px;-webkit-appearance:none}[type=search]::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{font:inherit;-webkit-appearance:button}output{display:inline-block}summary{display:list-item;cursor:pointer}template{display:none}[hidden]{display:none!important}.h1,.h2,.h3,.h4,.h5,.h6,h1,h2,h3,h4,h5,h6{margin-bottom:.5rem;font-weight:500;line-height:1.2}.h1,h1{font-size:2.5rem}.h2,h2{font-size:2rem}.h3,h3{font-size:1.75rem}.h4,h4{font-size:1.5rem}.h5,h5{font-size:1.25rem}.h6,h6{font-size:1rem}.lead{font-size:1.25rem;font-weight:300}.display-1{font-size:6rem;font-weight:300;line-height:1.2}.display-2{font-size:5.5rem;font-weight:300;line-height:1.2}.display-3{font-size:4.5rem;font-weight:300;line-height:1.2}.display-4{font-size:3.5rem;font-weight:300;line-height:1.2}hr{margin-top:1rem;margin-bottom:1rem;border:0;border-top:1px solid rgba(0,0,0,.1)}.small,small{font-size:80%;font-weight:400}.mark,mark{padding:.2em;background-color:#fcf8e3}.list-unstyled{padding-left:0;list-style:none}.list-inline{padding-left:0;list-style:none}.list-inline-item{display:inline-block}.list-inline-item:not(:last-child){margin-right:.5rem}.initialism{font-size:90%;text-transform:uppercase}.blockquote{margin-bottom:1rem;font-size:1.25rem}.blockquote-footer{display:block;font-size:80%;color:#6c757d}.blockquote-footer::before{content:"\2014\00A0"}.img-fluid{max-width:100%;height:auto}.img-thumbnail{padding:.25rem;background-color:#fff;border:1px solid #dee2e6;border-radius:.25rem;max-width:100%;height:auto}.figure{display:inline-block}.figure-img{margin-bottom:.5rem;line-height:1}.figure-caption{font-size:90%;color:#6c757d}code{font-size:87.5%;color:#e83e8c;word-wrap:break-word}a>code{color:inherit}kbd{padding:.2rem .4rem;font-size:87.5%;color:#fff;background-color:#212529;border-radius:.2rem}kbd kbd{padding:0;font-size:100%;font-weight:700}pre{display:block;font-size:87.5%;color:#212529}pre code{font-size:inherit;color:inherit;word-break:normal}.pre-scrollable{max-height:340px;overflow-y:scroll}.container{width:100%;padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}@media (min-width:576px){.container{max-width:540px}}@media (min-width:768px){.container{max-width:720px}}@media (min-width:992px){.container{max-width:960px}}@media (min-width:1200px){.container{max-width:1140px}}.container-fluid,.container-lg,.container-md,.container-sm,.container-xl{width:100%;padding-right:15px;padding-left:15px;margin-right:auto;margin-left:auto}@media (min-width:576px){.container,.container-sm{max-width:540px}}@media (min-width:768px){.container,.container-md,.container-sm{max-width:720px}}@media (min-width:992px){.container,.container-lg,.container-md,.container-sm{max-width:960px}}@media (min-width:1200px){.container,.container-lg,.container-md,.container-sm,.container-xl{max-width:1140px}}.row{display:-ms-flexbox;display:flex;-ms-flex-wrap:wrap;flex-wrap:wrap;margin-right:-15px;margin-left:-15px}.no-gutters{margin-right:0;margin-left:0}.no-gutters>.col,.no-gutters>[class*=col-]{padding-right:0;padding-left:0}.col,.col-1,.col-10,.col-11,.col-12,.col-2,.col-3,.col-4,.col-5,.col-6,.col-7,.col-8,.col-9,.col-auto,.col-lg,.col-lg-1,.col-lg-10,.col-lg-11,.col-lg-12,.col-lg-2,.col-lg-3,.col-lg-4,.col-lg-5,.col-lg-6,.col-lg-7,.col-lg-8,.col-lg-9,.col-lg-auto,.col-md,.col-md-1,.col-md-10,.col-md-11,.col-md-12,.col-md-2,.col-md-3,.col-md-4,.col-md-5,.col-md-6,.col-md-7,.col-md-8,.col-md-9,.col-md-auto,.col-sm,.col-sm-1,.col-sm-10,.col-sm-11,.col-sm-12,.col-sm-2,.col-sm-3,.col-sm-4,.col-sm-5,.col-sm-6,.col-sm-7,.col-sm-8,.col-sm-9,.col-sm-auto,.col-xl,.col-xl-1,.col-xl-10,.col-xl-11,.col-xl-12,.col-xl-2,.col-xl-3,.col-xl-4,.col-xl-5,.col-xl-6,.col-xl-7,.col-xl-8,.col-xl-9,.col-xl-auto{position:relative;width:100%;padding-right:15px;padding-left:15px}.col{-ms-flex-preferred-size:0;flex-basis:0;-ms-flex-positive:1;flex-grow:1;min-width:0;max-width:100%}.row-cols-1>*{-ms-flex:0 0 100%;flex:0 0 100%;max-width:100%}.row-cols-2>*{-ms-flex:0 0 50%;flex:0 0 50%;max-width:50%}.row-cols-3>*{-ms-flex:0 0 33.333333%;flex:0 0 33.333333%;max-width:33.333333%}.row-cols-4>*{-ms-flex:0 0 25%;flex:0 0 25%;max-width:25%}.row-cols-5>*{-ms-flex:0 0 20%;flex:0 0 20%;max-width:20%}.row-cols-6>*{-ms-flex:0 0 16.666667%;flex:0 0 16.666667%;max-width:16.666667%}.col-auto{-ms-flex:0 0 auto;flex:0 0 auto;width:auto;max-width:100%}.col-1{-ms-flex:0 0 8.333333%;flex:0 0 8.333333%;max-width:8.333333%}.col-2{-ms-flex:0 0 16.666667%;flex:0 0 16.666667%;max-width:16.666667%}.col-3{-ms-flex:0 0 25%;flex:0 0 25%;max-width:25%}.col-4{-ms-flex:0 0 33.333333%;flex:0 0 33.333333%;max-width:33.333333%}.col-5{-ms-flex:0 0 41.666667%;flex:0 0 41.666667%;max-width:41.666667%}.col-6{-ms-flex:0 0 50%;flex:0 0 50%;max-width:50%}.col-7{-ms-flex:0 0 58.333333%;flex:0 0 58.333333%;max-width:58.333333%}.col-8{-ms-flex:0 0 66.666667%;flex:0 0 66.666667%;max-width:66.666667%}.col-9{-ms-flex:0 0 75%;flex:0 0 75%;max-width:75%}.col-10{-ms-flex:0 0 83.333333%;flex:0 0 83.333333%;max-width:83.333333%}.col-11{-ms-flex:0 0 91.666667%;flex:0 0 91.666667%;max-width:91.666667%}.col-12{-ms-flex:0 0 100%;flex:0 0 100%;max-width:100%}.order-first{-ms-flex-order:-1;order:-1}.order-last{-ms-flex-order:13;order:13}.order-0{-ms-flex-order:0;order:0}.order-1{-ms-flex-order:1;order:1}.order-2{-ms-flex-order:2;order:2}.order-3{-ms-flex-order:3;order:3}.order-4{-ms-flex-order:4;order:4}.order-5{-ms-flex-order:5;order:5}.order-6{-ms-flex-order:6;order:6}.order-7{-ms-flex-order:7;order:7}.order-8{-ms-flex-order:8;order:8}.order-9{-ms-flex-order:9;order:9}.order-10{-ms-flex-order:10;order:10}.order-11{-ms-flex-order:11;order:11}.order-12{-ms-flex-order:12;order:12}.offset-1{margin-left:8.333333%}.offset-2{margin-left:16.666667%}.offset-3{margin-left:25%}.offset-4{margin-left:33.333333%}.offset-5{margin-left:41.666667%}.offset-6{margin-left:50%}.offset-7{margin-left:58.333333%}.offset-8{margin-left:66.666667%}.offset-9{margin-left:75%}.offset-10{margin-left:83.333333%}.offset-11{margin-left:91.666667%}@media (min-width:576px){.col-sm{-ms-flex-preferred-size:0;flex-basis:0;-ms-flex-positive:1;flex-grow:1;min-width:0;max-width:100%}.row-cols-sm-1>*{-ms-flex:0 0 100%;flex:0 0 100%;max-width:100%}.row-cols-sm-2>*{-ms-flex:0 0 50%;flex:0 0 50%;max-width:50%}.row-cols-sm-3>*{-ms-flex:0 0 33.333333%;flex:0 0 33.333333%;max-width:33.333333%}.row-cols-sm-4>*{-ms-flex:0 0 25%;flex:0 0 25%;max-width:25%}.row-cols-sm-5>*{-ms-flex:0 0 20%;flex:0 0 20%;max-width:20%}.row-cols-sm-6>*{-ms-flex:0 0 16.666667%;flex:0 0 16.666667%;max-width:16.666667%}.col-sm-auto{-ms-flex:0 0 auto;flex:0 0 auto;width:auto;max-width:100%}.col-sm-1{-ms-flex:0 0 8.333333%;flex:0 0 8.333333%;max-width:8.333333%}.col-sm-2{-ms-flex:0 0 16.666667%;flex:0 0 16.666667%;max-width:16.666667%}.col-sm-3{-ms-flex:0 0 25%;flex:0 0 25%;max-width:25%}.col-sm-4{-ms-flex:0 0 33.333333%;flex:0 0 33.333333%;max-width:33.333333%}.col-sm-5{-ms-flex:0 0 41.666667%;flex:0 0 41.666667%;max-width:41.666667%}.col-sm-6{-ms-flex:0 0 50%;flex:0 0 50%;max-width:50%}.col-sm-7{-ms-flex:0 0 58.333333%;flex:0 0 58.333333%;max-width:58.333333%}.col-sm-8{-ms-flex:0 0 66.666667%;flex:0 0 66.666667%;max-width:66.666667%}.col-sm-9{-ms-flex:0 0 75%;flex:0 0 75%;max-width:75%}.col-sm-10{-ms-flex:0 0 83.333333%;flex:0 0 83.333333%;max-width:83.333333%}.col-sm-11{-ms-flex:0 0 91.666667%;flex:0 0 91.666667%;max-width:91.666667%}.col-sm-12{-ms-flex:0 0 100%;flex:0 0 100%;max-width:100%}.order-sm-first{-ms-flex-order:-1;order:-1}.order-sm-last{-ms-flex-order:13;order:13}.order-sm-0{-ms-flex-order:0;order:0}.order-sm-1{-ms-flex-order:1;order:1}.order-sm-2{-ms-flex-order:2;order:2}.order-sm-3{-ms-flex-order:3;order:3}.order-sm-4{-ms-flex-order:4;order:4}.order-sm-5{-ms-flex-order:5;order:5}.order-sm-6{-ms-flex-order:6;order:6}.order-sm-7{-ms-flex-order:7;order:7}.order-sm-8{-ms-flex-order:8;order:8}.order-sm-9{-ms-flex-order:9;order:9}.order-sm-10{-ms-flex-order:10;order:10}.order-sm-11{-ms-flex-order:11;order:11}.order-sm-12{-ms-flex-order:12;order:12}.offset-sm-0{margin-left:0}.offset-sm-1{margin-left:8.333333%}.offset-sm-2{margin-left:16.666667%}.offset-sm-3{margin-left:25%}.offset-sm-4{margin-left:33.333333%}.offset-sm-5{margin-left:41.666667%}.offset-sm-6{margin-left:50%}.offset-sm-7{margin-left:58.333333%}.offset-sm-8{margin-left:66.666667%}.offset-sm-9{margin-left:75%}.offset-sm-10{margin-left:83.333333%}.offset-sm-11{margin-left:91.666667%}}@media (min-width:768px){.col-md{-ms-flex-preferred-size:0;flex-basis:0;-ms-flex-positive:1;flex-grow:1;min-width:0;max-width:100%}.row-cols-md-1>*{-ms-flex:0 0 100%;flex:0 0 100%;max-width:100%}.row-cols-md-2>*{-ms-flex:0 0 50%;flex:0 0 50%;max-width:50%}.row-cols-md-3>*{-ms-flex:0 0 33.333333%;flex:0 0 33.333333%;max-width:33.333333%}.row-cols-md-4>*{-ms-flex:0 0 25%;flex:0 0 25%;max-width:25%}.row-cols-md-5>*{-ms-flex:0 0 20%;flex:0 0 20%;max-width:20%}.row-cols-md-6>*{-ms-flex:0 0 16.666667%;flex:0 0 16.666667%;max-width:16.666667%}.col-md-auto{-ms-flex:0 0 auto;flex:0 0 auto;width:auto;max-width:100%}.col-md-1{-ms-flex:0 0 8.333333%;flex:0 0 8.333333%;max-width:8.333333%}.col-md-2{-ms-flex:0 0 16.666667%;flex:0 0 16.666667%;max-width:16.666667%}.col-md-3{-ms-flex:0 0 25%;flex:0 0 25%;max-width:25%}.col-md-4{-ms-flex:0 0 33.333333%;flex:0 0 33.333333%;max-width:33.333333%}.col-md-5{-ms-flex:0 0 41.666667%;flex:0 0 41.666667%;max-width:41.666667%}.col-md-6{-ms-flex:0 0 50%;flex:0 0 50%;max-width:50%}.col-md-7{-ms-flex:0 0 58.333333%;flex:0 0 58.333333%;max-width:58.333333%}.col-md-8{-ms-flex:0 0 66.666667%;flex:0 0 66.666667%;max-width:66.666667%}.col-md-9{-ms-flex:0 0 75%;flex:0 0 75%;max-width:75%}.col-md-10{-ms-flex:0 0 83.333333%;flex:0 0 83.333333%;max-width:83.333333%}.col-md-11{-ms-flex:0 0 91.666667%;flex:0 0 91.666667%;max-width:91.666667%}.col-md-12{-ms-flex:0 0 100%;flex:0 0 100%;max-width:100%}.order-md-first{-ms-flex-order:-1;order:-1}.order-md-last{-ms-flex-order:13;order:13}.order-md-0{-ms-flex-order:0;order:0}.order-md-1{-ms-flex-order:1;order:1}.order-md-2{-ms-flex-order:2;order:2}.order-md-3{-ms-flex-order:3;order:3}.order-md-4{-ms-flex-order:4;order:4}.order-md-5{-ms-flex-order:5;order:5}.order-md-6{-ms-flex-order:6;order:6}.order-md-7{-ms-flex-order:7;order:7}.order-md-8{-ms-flex-order:8;order:8}.order-md-9{-ms-flex-order:9;order:9}.order-md-10{-ms-flex-order:10;order:10}.order-md-11{-ms-flex-order:11;order:11}.order-md-12{-ms-flex-order:12;order:12}.offset-md-0{margin-left:0}.offset-md-1{margin-left:8.333333%}.offset-md-2{margin-left:16.666667%}.offset-md-3{margin-left:25%}.offset-md-4{margin-left:33.333333%}.offset-md-5{margin-left:41.666667%}.offset-md-6{margin-left:50%}.offset-md-7{margin-left:58.333333%}.offset-md-8{margin-left:66.666667%}.offset-md-9{margin-left:75%}.offset-md-10{margin-left:83.333333%}.offset-md-11{margin-left:91.666667%}}@media (min-width:992px){.col-lg{-ms-flex-preferred-size:0;flex-basis:0;-ms-flex-positive:1;flex-grow:1;min-width:0;max-width:100%}.row-cols-lg-1>*{-ms-flex:0 0 100%;flex:0 0 100%;max-width:100%}.row-cols-lg-2>*{-ms-flex:0 0 50%;flex:0 0 50%;max-width:50%}.row-cols-lg-3>*{-ms-flex:0 0 33.333333%;flex:0 0 33.333333%;max-width:33.333333%}.row-cols-lg-4>*{-ms-flex:0 0 25%;flex:0 0 25%;max-width:25%}.row-cols-lg-5>*{-ms-flex:0 0 20%;flex:0 0 20%;max-width:20%}.row-cols-lg-6>*{-ms-flex:0 0 16.666667%;flex:0 0 16.666667%;max-width:16.666667%}.col-lg-auto{-ms-flex:0 0 auto;flex:0 0 auto;width:auto;max-width:100%}.col-lg-1{-ms-flex:0 0 8.333333%;flex:0 0 8.333333%;max-width:8.333333%}.col-lg-2{-ms-flex:0 0 16.666667%;flex:0 0 16.666667%;max-width:16.666667%}.col-lg-3{-ms-flex:0 0 25%;flex:0 0 25%;max-width:25%}.col-lg-4{-ms-flex:0 0 33.333333%;flex:0 0 33.333333%;max-width:33.333333%}.col-lg-5{-ms-flex:0 0 41.666667%;flex:0 0 41.666667%;max-width:41.666667%}.col-lg-6{-ms-flex:0 0 50%;flex:0 0 50%;max-width:50%}.col-lg-7{-ms-flex:0 0 58.333333%;flex:0 0 58.333333%;max-width:58.333333%}.col-lg-8{-ms-flex:0 0 66.666667%;flex:0 0 66.666667%;max-width:66.666667%}.col-lg-9{-ms-flex:0 0 75%;flex:0 0 75%;max-width:75%}.col-lg-10{-ms-flex:0 0 83.333333%;flex:0 0 83.333333%;max-width:83.333333%}.col-lg-11{-ms-flex:0 0 91.666667%;flex:0 0 91.666667%;max-width:91.666667%}.col-lg-12{-ms-flex:0 0 100%;flex:0 0 100%;max-width:100%}.order-lg-first{-ms-flex-order:-1;order:-1}.order-lg-last{-ms-flex-order:13;order:13}.order-lg-0{-ms-flex-order:0;order:0}.order-lg-1{-ms-flex-order:1;order:1}.order-lg-2{-ms-flex-order:2;order:2}.order-lg-3{-ms-flex-order:3;order:3}.order-lg-4{-ms-flex-order:4;order:4}.order-lg-5{-ms-flex-order:5;order:5}.order-lg-6{-ms-flex-order:6;order:6}.order-lg-7{-ms-flex-order:7;order:7}.order-lg-8{-ms-flex-order:8;order:8}.order-lg-9{-ms-flex-order:9;order:9}.order-lg-10{-ms-flex-order:10;order:10}.order-lg-11{-ms-flex-order:11;order:11}.order-lg-12{-ms-flex-order:12;order:12}.offset-lg-0{margin-left:0}.offset-lg-1{margin-left:8.333333%}.offset-lg-2{margin-left:16.666667%}.offset-lg-3{margin-left:25%}.offset-lg-4{margin-left:33.333333%}.offset-lg-5{margin-left:41.666667%}.offset-lg-6{margin-left:50%}.offset-lg-7{margin-left:58.333333%}.offset-lg-8{margin-left:66.666667%}.offset-lg-9{margin-left:75%}.offset-lg-10{margin-left:83.333333%}.offset-lg-11{margin-left:91.666667%}}@media (min-width:1200px){.col-xl{-ms-flex-preferred-size:0;flex-basis:0;-ms-flex-positive:1;flex-grow:1;min-width:0;max-width:100%}.row-cols-xl-1>*{-ms-flex:0 0 100%;flex:0 0 100%;max-width:100%}.row-cols-xl-2>*{-ms-flex:0 0 50%;flex:0 0 50%;max-width:50%}.row-cols-xl-3>*{-ms-flex:0 0 33.333333%;flex:0 0 33.333333%;max-width:33.333333%}.row-cols-xl-4>*{-ms-flex:0 0 25%;flex:0 0 25%;max-width:25%}.row-cols-xl-5>*{-ms-flex:0 0 20%;flex:0 0 20%;max-width:20%}.row-cols-xl-6>*{-ms-flex:0 0 16.666667%;flex:0 0 16.666667%;max-width:16.666667%}.col-xl-auto{-ms-flex:0 0 auto;flex:0 0 auto;width:auto;max-width:100%}.col-xl-1{-ms-flex:0 0 8.333333%;flex:0 0 8.333333%;max-width:8.333333%}.col-xl-2{-ms-flex:0 0 16.666667%;flex:0 0 16.666667%;max-width:16.666667%}.col-xl-3{-ms-flex:0 0 25%;flex:0 0 25%;max-width:25%}.col-xl-4{-ms-flex:0 0 33.333333%;flex:0 0 33.333333%;max-width:33.333333%}.col-xl-5{-ms-flex:0 0 41.666667%;flex:0 0 41.666667%;max-width:41.666667%}.col-xl-6{-ms-flex:0 0 50%;flex:0 0 50%;max-width:50%}.col-xl-7{-ms-flex:0 0 58.333333%;flex:0 0 58.333333%;max-width:58.333333%}.col-xl-8{-ms-flex:0 0 66.666667%;flex:0 0 66.666667%;max-width:66.666667%}.col-xl-9{-ms-flex:0 0 75%;flex:0 0 75%;max-width:75%}.col-xl-10{-ms-flex:0 0 83.333333%;flex:0 0 83.333333%;max-width:83.333333%}.col-xl-11{-ms-flex:0 0 91.666667%;flex:0 0 91.666667%;max-width:91.666667%}.col-xl-12{-ms-flex:0 0 100%;flex:0 0 100%;max-width:100%}.order-xl-first{-ms-flex-order:-1;order:-1}.order-xl-last{-ms-flex-order:13;order:13}.order-xl-0{-ms-flex-order:0;order:0}.order-xl-1{-ms-flex-order:1;order:1}.order-xl-2{-ms-flex-order:2;order:2}.order-xl-3{-ms-flex-order:3;order:3}.order-xl-4{-ms-flex-order:4;order:4}.order-xl-5{-ms-flex-order:5;order:5}.order-xl-6{-ms-flex-order:6;order:6}.order-xl-7{-ms-flex-order:7;order:7}.order-xl-8{-ms-flex-order:8;order:8}.order-xl-9{-ms-flex-order:9;order:9}.order-xl-10{-ms-flex-order:10;order:10}.order-xl-11{-ms-flex-order:11;order:11}.order-xl-12{-ms-flex-order:12;order:12}.offset-xl-0{margin-left:0}.offset-xl-1{margin-left:8.333333%}.offset-xl-2{margin-left:16.666667%}.offset-xl-3{margin-left:25%}.offset-xl-4{margin-left:33.333333%}.offset-xl-5{margin-left:41.666667%}.offset-xl-6{margin-left:50%}.offset-xl-7{margin-left:58.333333%}.offset-xl-8{margin-left:66.666667%}.offset-xl-9{margin-left:75%}.offset-xl-10{margin-left:83.333333%}.offset-xl-11{margin-left:91.666667%}}.table{width:100%;margin-bottom:1rem;color:#212529}.table td,.table th{padding:.75rem;vertical-align:top;border-top:1px solid #dee2e6}.table thead th{vertical-align:bottom;border-bottom:2px solid #dee2e6}.table tbody+tbody{border-top:2px solid #dee2e6}.table-sm td,.table-sm th{padding:.3rem}.table-bordered{border:1px solid #dee2e6}.table-bordered td,.table-bordered th{border:1px solid #dee2e6}.table-bordered thead td,.table-bordered thead th{border-bottom-width:2px}.table-borderless tbody+tbody,.table-borderless td,.table-borderless th,.table-borderless thead th{border:0}.table-striped tbody tr:nth-of-type(odd){background-color:rgba(0,0,0,.05)}.table-hover tbody tr:hover{color:#212529;background-color:rgba(0,0,0,.075)}.table-primary,.table-primary>td,.table-primary>th{background-color:#b8daff}.table-primary tbody+tbody,.table-primary td,.table-primary th,.table-primary thead th{border-color:#7abaff}.table-hover .table-primary:hover{background-color:#9fcdff}.table-hover .table-primary:hover>td,.table-hover .table-primary:hover>th{background-color:#9fcdff}.table-secondary,.table-secondary>td,.table-secondary>th{background-color:#d6d8db}.table-secondary tbody+tbody,.table-secondary td,.table-secondary th,.table-secondary thead th{border-color:#b3b7bb}.table-hover .table-secondary:hover{background-color:#c8cbcf}.table-hover .table-secondary:hover>td,.table-hover .table-secondary:hover>th{background-color:#c8cbcf}.table-success,.table-success>td,.table-success>th{background-color:#c3e6cb}.table-success tbody+tbody,.table-success td,.table-success th,.table-success thead th{border-color:#8fd19e}.table-hover .table-success:hover{background-color:#b1dfbb}.table-hover .table-success:hover>td,.table-hover .table-success:hover>th{background-color:#b1dfbb}.table-info,.table-info>td,.table-info>th{background-color:#bee5eb}.table-info tbody+tbody,.table-info td,.table-info th,.table-info thead th{border-color:#86cfda}.table-hover .table-info:hover{background-color:#abdde5}.table-hover .table-info:hover>td,.table-hover .table-info:hover>th{background-color:#abdde5}.table-warning,.table-warning>td,.table-warning>th{background-color:#ffeeba}.table-warning tbody+tbody,.table-warning td,.table-warning th,.table-warning thead th{border-color:#ffdf7e}.table-hover .table-warning:hover{background-color:#ffe8a1}.table-hover .table-warning:hover>td,.table-hover .table-warning:hover>th{background-color:#ffe8a1}.table-danger,.table-danger>td,.table-danger>th{background-color:#f5c6cb}.table-danger tbody+tbody,.table-danger td,.table-danger th,.table-danger thead th{border-color:#ed969e}.table-hover .table-danger:hover{background-color:#f1b0b7}.table-hover .table-danger:hover>td,.table-hover .table-danger:hover>th{background-color:#f1b0b7}.table-light,.table-light>td,.table-light>th{background-color:#fdfdfe}.table-light tbody+tbody,.table-light td,.table-light th,.table-light thead th{border-color:#fbfcfc}.table-hover .table-light:hover{background-color:#ececf6}.table-hover .table-light:hover>td,.table-hover .table-light:hover>th{background-color:#ececf6}.table-dark,.table-dark>td,.table-dark>th{background-color:#c6c8ca}.table-dark tbody+tbody,.table-dark td,.table-dark th,.table-dark thead th{border-color:#95999c}.table-hover .table-dark:hover{background-color:#b9bbbe}.table-hover .table-dark:hover>td,.table-hover .table-dark:hover>th{background-color:#b9bbbe}.table-active,.table-active>td,.table-active>th{background-color:rgba(0,0,0,.075)}.table-hover .table-active:hover{background-color:rgba(0,0,0,.075)}.table-hover .table-active:hover>td,.table-hover .table-active:hover>th{background-color:rgba(0,0,0,.075)}.table .thead-dark th{color:#fff;background-color:#343a40;border-color:#454d55}.table .thead-light th{color:#495057;background-color:#e9ecef;border-color:#dee2e6}.table-dark{color:#fff;background-color:#343a40}.table-dark td,.table-dark th,.table-dark thead th{border-color:#454d55}.table-dark.table-bordered{border:0}.table-dark.table-striped tbody tr:nth-of-type(odd){background-color:rgba(255,255,255,.05)}.table-dark.table-hover tbody tr:hover{color:#fff;background-color:rgba(255,255,255,.075)}@media (max-width:575.98px){.table-responsive-sm{display:block;width:100%;overflow-x:auto;-webkit-overflow-scrolling:touch}.table-responsive-sm>.table-bordered{border:0}}@media (max-width:767.98px){.table-responsive-md{display:block;width:100%;overflow-x:auto;-webkit-overflow-scrolling:touch}.table-responsive-md>.table-bordered{border:0}}@media (max-width:991.98px){.table-responsive-lg{display:block;width:100%;overflow-x:auto;-webkit-overflow-scrolling:touch}.table-responsive-lg>.table-bordered{border:0}}@media (max-width:1199.98px){.table-responsive-xl{display:block;width:100%;overflow-x:auto;-webkit-overflow-scrolling:touch}.table-responsive-xl>.table-bordered{border:0}}.table-responsive{display:block;width:100%;overflow-x:auto;-webkit-overflow-scrolling:touch}.table-responsive>.table-bordered{border:0}.form-control{display:block;width:100%;height:calc(1.5em + .75rem + 2px);padding:.375rem .75rem;font-size:1rem;font-weight:400;line-height:1.5;color:#495057;background-color:#fff;background-clip:padding-box;border:1px solid #ced4da;border-radius:.25rem;transition:border-color .15s ease-in-out,box-shadow .15s ease-in-out}@media (prefers-reduced-motion:reduce){.form-control{transition:none}}.form-control::-ms-expand{background-color:transparent;border:0}.form-control:-moz-focusring{color:transparent;text-shadow:0 0 0 #495057}.form-control:focus{color:#495057;background-color:#fff;border-color:#80bdff;outline:0;box-shadow:0 0 0 .2rem rgba(0,123,255,.25)}.form-control::-webkit-input-placeholder{color:#6c757d;opacity:1}.form-control::-moz-placeholder{color:#6c757d;opacity:1}.form-control:-ms-input-placeholder{color:#6c757d;opacity:1}.form-control::-ms-input-placeholder{color:#6c757d;opacity:1}.form-control::placeholder{color:#6c757d;opacity:1}.form-control:disabled,.form-control[readonly]{background-color:#e9ecef;opacity:1}input[type=date].form-control,input[type=datetime-local].form-control,input[type=month].form-control,input[type=time].form-control{-webkit-appearance:none;-moz-appearance:none;appearance:none}select.form-control:focus::-ms-value{color:#495057;background-color:#fff}.form-control-file,.form-control-range{display:block;width:100%}.col-form-label{padding-top:calc(.375rem + 1px);padding-bottom:calc(.375rem + 1px);margin-bottom:0;font-size:inherit;line-height:1.5}.col-form-label-lg{padding-top:calc(.5rem + 1px);padding-bottom:calc(.5rem + 1px);font-size:1.25rem;line-height:1.5}.col-form-label-sm{padding-top:calc(.25rem + 1px);padding-bottom:calc(.25rem + 1px);font-size:.875rem;line-height:1.5}.form-control-plaintext{display:block;width:100%;padding:.375rem 0;margin-bottom:0;font-size:1rem;line-height:1.5;color:#212529;background-color:transparent;border:solid transparent;border-width:1px 0}.form-control-plaintext.form-control-lg,.form-control-plaintext.form-control-sm{padding-right:0;padding-left:0}.form-control-sm{height:calc(1.5em + .5rem + 2px);padding:.25rem .5rem;font-size:.875rem;line-height:1.5;border-radius:.2rem}.form-control-lg{height:calc(1.5em + 1rem + 2px);padding:.5rem 1rem;font-size:1.25rem;line-height:1.5;border-radius:.3rem}select.form-control[multiple],select.form-control[size]{height:auto}textarea.form-control{height:auto}.form-group{margin-bottom:1rem}.form-text{display:block;margin-top:.25rem}.form-row{display:-ms-flexbox;display:flex;-ms-flex-wrap:wrap;flex-wrap:wrap;margin-right:-5px;margin-left:-5px}.form-row>.col,.form-row>[class*=col-]{padding-right:5px;padding-left:5px}.form-check{position:relative;display:block;padding-left:1.25rem}.form-check-input{position:absolute;margin-top:.3rem;margin-left:-1.25rem}.form-check-input:disabled~.form-check-label,.form-check-input[disabled]~.form-check-label{color:#6c757d}.form-check-label{margin-bottom:0}.form-check-inline{display:-ms-inline-flexbox;display:inline-flex;-ms-flex-align:center;align-items:center;padding-left:0;margin-right:.75rem}.form-check-inline .form-check-input{position:static;margin-top:0;margin-right:.3125rem;margin-left:0}.valid-feedback{display:none;width:100%;margin-top:.25rem;font-size:80%;color:#28a745}.valid-tooltip{position:absolute;top:100%;z-index:5;display:none;max-width:100%;padding:.25rem .5rem;margin-top:.1rem;font-size:.875rem;line-height:1.5;color:#fff;background-color:rgba(40,167,69,.9);border-radius:.25rem}.is-valid~.valid-feedback,.is-valid~.valid-tooltip,.was-validated :valid~.valid-feedback,.was-validated :valid~.valid-tooltip{display:block}.form-control.is-valid,.was-validated .form-control:valid{border-color:#28a745;padding-right:calc(1.5em + .75rem);background-image:url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='8' height='8' viewBox='0 0 8 8'%3e%3cpath fill='%2328a745' d='M2.3 6.73L.6 4.53c-.4-1.04.46-1.4 1.1-.8l1.1 1.4 3.4-3.8c.6-.63 1.6-.27 1.2.7l-4 4.6c-.43.5-.8.4-1.1.1z'/%3e%3c/svg%3e");background-repeat:no-repeat;background-position:right calc(.375em + .1875rem) center;background-size:calc(.75em + .375rem) calc(.75em + .375rem)}.form-control.is-valid:focus,.was-validated .form-control:valid:focus{border-color:#28a745;box-shadow:0 0 0 .2rem rgba(40,167,69,.25)}.was-validated textarea.form-control:valid,textarea.form-control.is-valid{padding-right:calc(1.5em + .75rem);background-position:top calc(.375em + .1875rem) right calc(.375em + .1875rem)}.custom-select.is-valid,.was-validated .custom-select:valid{border-color:#28a745;padding-right:calc(.75em + 2.3125rem);background:url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='4' height='5' viewBox='0 0 4 5'%3e%3cpath fill='%23343a40' d='M2 0L0 2h4zm0 5L0 3h4z'/%3e%3c/svg%3e") no-repeat right .75rem center/8px 10px,url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='8' height='8' viewBox='0 0 8 8'%3e%3cpath fill='%2328a745' d='M2.3 6.73L.6 4.53c-.4-1.04.46-1.4 1.1-.8l1.1 1.4 3.4-3.8c.6-.63 1.6-.27 1.2.7l-4 4.6c-.43.5-.8.4-1.1.1z'/%3e%3c/svg%3e") #fff no-repeat center right 1.75rem/calc(.75em + .375rem) calc(.75em + .375rem)}.custom-select.is-valid:focus,.was-validated .custom-select:valid:focus{border-color:#28a745;box-shadow:0 0 0 .2rem rgba(40,167,69,.25)}.form-check-input.is-valid~.form-check-label,.was-validated .form-check-input:valid~.form-check-label{color:#28a745}.form-check-input.is-valid~.valid-feedback,.form-check-input.is-valid~.valid-tooltip,.was-validated .form-check-input:valid~.valid-feedback,.was-validated .form-check-input:valid~.valid-tooltip{display:block}.custom-control-input.is-valid~.custom-control-label,.was-validated .custom-control-input:valid~.custom-control-label{color:#28a745}.custom-control-input.is-valid~.custom-control-label::before,.was-validated .custom-control-input:valid~.custom-control-label::before{border-color:#28a745}.custom-control-input.is-valid:checked~.custom-control-label::before,.was-validated .custom-control-input:valid:checked~.custom-control-label::before{border-color:#34ce57;background-color:#34ce57}.custom-control-input.is-valid:focus~.custom-control-label::before,.was-validated .custom-control-input:valid:focus~.custom-control-label::before{box-shadow:0 0 0 .2rem rgba(40,167,69,.25)}.custom-control-input.is-valid:focus:not(:checked)~.custom-control-label::before,.was-validated .custom-control-input:valid:focus:not(:checked)~.custom-control-label::before{border-color:#28a745}.custom-file-input.is-valid~.custom-file-label,.was-validated .custom-file-input:valid~.custom-file-label{border-color:#28a745}.custom-file-input.is-valid:focus~.custom-file-label,.was-validated .custom-file-input:valid:focus~.custom-file-label{border-color:#28a745;box-shadow:0 0 0 .2rem rgba(40,167,69,.25)}.invalid-feedback{display:none;width:100%;margin-top:.25rem;font-size:80%;color:#dc3545}.invalid-tooltip{position:absolute;top:100%;z-index:5;display:none;max-width:100%;padding:.25rem .5rem;margin-top:.1rem;font-size:.875rem;line-height:1.5;color:#fff;background-color:rgba(220,53,69,.9);border-radius:.25rem}.is-invalid~.invalid-feedback,.is-invalid~.invalid-tooltip,.was-validated :invalid~.invalid-feedback,.was-validated :invalid~.invalid-tooltip{display:block}.form-control.is-invalid,.was-validated .form-control:invalid{border-color:#dc3545;padding-right:calc(1.5em + .75rem);background-image:url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='12' height='12' fill='none' stroke='%23dc3545' viewBox='0 0 12 12'%3e%3ccircle cx='6' cy='6' r='4.5'/%3e%3cpath stroke-linejoin='round' d='M5.8 3.6h.4L6 6.5z'/%3e%3ccircle cx='6' cy='8.2' r='.6' fill='%23dc3545' stroke='none'/%3e%3c/svg%3e");background-repeat:no-repeat;background-position:right calc(.375em + .1875rem) center;background-size:calc(.75em + .375rem) calc(.75em + .375rem)}.form-control.is-invalid:focus,.was-validated .form-control:invalid:focus{border-color:#dc3545;box-shadow:0 0 0 .2rem rgba(220,53,69,.25)}.was-validated textarea.form-control:invalid,textarea.form-control.is-invalid{padding-right:calc(1.5em + .75rem);background-position:top calc(.375em + .1875rem) right calc(.375em + .1875rem)}.custom-select.is-invalid,.was-validated .custom-select:invalid{border-color:#dc3545;padding-right:calc(.75em + 2.3125rem);background:url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='4' height='5' viewBox='0 0 4 5'%3e%3cpath fill='%23343a40' d='M2 0L0 2h4zm0 5L0 3h4z'/%3e%3c/svg%3e") no-repeat right .75rem center/8px 10px,url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='12' height='12' fill='none' stroke='%23dc3545' viewBox='0 0 12 12'%3e%3ccircle cx='6' cy='6' r='4.5'/%3e%3cpath stroke-linejoin='round' d='M5.8 3.6h.4L6 6.5z'/%3e%3ccircle cx='6' cy='8.2' r='.6' fill='%23dc3545' stroke='none'/%3e%3c/svg%3e") #fff no-repeat center right 1.75rem/calc(.75em + .375rem) calc(.75em + .375rem)}.custom-select.is-invalid:focus,.was-validated .custom-select:invalid:focus{border-color:#dc3545;box-shadow:0 0 0 .2rem rgba(220,53,69,.25)}.form-check-input.is-invalid~.form-check-label,.was-validated .form-check-input:invalid~.form-check-label{color:#dc3545}.form-check-input.is-invalid~.invalid-feedback,.form-check-input.is-invalid~.invalid-tooltip,.was-validated .form-check-input:invalid~.invalid-feedback,.was-validated .form-check-input:invalid~.invalid-tooltip{display:block}.custom-control-input.is-invalid~.custom-control-label,.was-validated .custom-control-input:invalid~.custom-control-label{color:#dc3545}.custom-control-input.is-invalid~.custom-control-label::before,.was-validated .custom-control-input:invalid~.custom-control-label::before{border-color:#dc3545}.custom-control-input.is-invalid:checked~.custom-control-label::before,.was-validated .custom-control-input:invalid:checked~.custom-control-label::before{border-color:#e4606d;background-color:#e4606d}.custom-control-input.is-invalid:focus~.custom-control-label::before,.was-validated .custom-control-input:invalid:focus~.custom-control-label::before{box-shadow:0 0 0 .2rem rgba(220,53,69,.25)}.custom-control-input.is-invalid:focus:not(:checked)~.custom-control-label::before,.was-validated .custom-control-input:invalid:focus:not(:checked)~.custom-control-label::before{border-color:#dc3545}.custom-file-input.is-invalid~.custom-file-label,.was-validated .custom-file-input:invalid~.custom-file-label{border-color:#dc3545}.custom-file-input.is-invalid:focus~.custom-file-label,.was-validated .custom-file-input:invalid:focus~.custom-file-label{border-color:#dc3545;box-shadow:0 0 0 .2rem rgba(220,53,69,.25)}.form-inline{display:-ms-flexbox;display:flex;-ms-flex-flow:row wrap;flex-flow:row wrap;-ms-flex-align:center;align-items:center}.form-inline .form-check{width:100%}@media (min-width:576px){.form-inline label{display:-ms-flexbox;display:flex;-ms-flex-align:center;align-items:center;-ms-flex-pack:center;justify-content:center;margin-bottom:0}.form-inline .form-group{display:-ms-flexbox;display:flex;-ms-flex:0 0 auto;flex:0 0 auto;-ms-flex-flow:row wrap;flex-flow:row wrap;-ms-flex-align:center;align-items:center;margin-bottom:0}.form-inline .form-control{display:inline-block;width:auto;vertical-align:middle}.form-inline .form-control-plaintext{display:inline-block}.form-inline .custom-select,.form-inline .input-group{width:auto}.form-inline .form-check{display:-ms-flexbox;display:flex;-ms-flex-align:center;align-items:center;-ms-flex-pack:center;justify-content:center;width:auto;padding-left:0}.form-inline .form-check-input{position:relative;-ms-flex-negative:0;flex-shrink:0;margin-top:0;margin-right:.25rem;margin-left:0}.form-inline .custom-control{-ms-flex-align:center;align-items:center;-ms-flex-pack:center;justify-content:center}.form-inline .custom-control-label{margin-bottom:0}}.btn{display:inline-block;font-weight:400;color:#212529;text-align:center;vertical-align:middle;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;user-select:none;background-color:transparent;border:1px solid transparent;padding:.375rem .75rem;font-size:1rem;line-height:1.5;border-radius:.25rem;transition:color .15s ease-in-out,background-color .15s ease-in-out,border-color .15s ease-in-out,box-shadow .15s ease-in-out}@media (prefers-reduced-motion:reduce){.btn{transition:none}}.btn:hover{color:#212529;text-decoration:none}.btn.focus,.btn:focus{outline:0;box-shadow:0 0 0 .2rem rgba(0,123,255,.25)}.btn.disabled,.btn:disabled{opacity:.65}.btn:not(:disabled):not(.disabled){cursor:pointer}a.btn.disabled,fieldset:disabled a.btn{pointer-events:none}.btn-primary{color:#fff;background-color:#007bff;border-color:#007bff}.btn-primary:hover{color:#fff;background-color:#0069d9;border-color:#0062cc}.btn-primary.focus,.btn-primary:focus{color:#fff;background-color:#0069d9;border-color:#0062cc;box-shadow:0 0 0 .2rem rgba(38,143,255,.5)}.btn-primary.disabled,.btn-primary:disabled{color:#fff;background-color:#007bff;border-color:#007bff}.btn-primary:not(:disabled):not(.disabled).active,.btn-primary:not(:disabled):not(.disabled):active,.show>.btn-primary.dropdown-toggle{color:#fff;background-color:#0062cc;border-color:#005cbf}.btn-primary:not(:disabled):not(.disabled).active:focus,.btn-primary:not(:disabled):not(.disabled):active:focus,.show>.btn-primary.dropdown-toggle:focus{box-shadow:0 0 0 .2rem rgba(38,143,255,.5)}.btn-secondary{color:#fff;background-color:#6c757d;border-color:#6c757d}.btn-secondary:hover{color:#fff;background-color:#5a6268;border-color:#545b62}.btn-secondary.focus,.btn-secondary:focus{color:#fff;background-color:#5a6268;border-color:#545b62;box-shadow:0 0 0 .2rem rgba(130,138,145,.5)}.btn-secondary.disabled,.btn-secondary:disabled{color:#fff;background-color:#6c757d;border-color:#6c757d}.btn-secondary:not(:disabled):not(.disabled).active,.btn-secondary:not(:disabled):not(.disabled):active,.show>.btn-secondary.dropdown-toggle{color:#fff;background-color:#545b62;border-color:#4e555b}.btn-secondary:not(:disabled):not(.disabled).active:focus,.btn-secondary:not(:disabled):not(.disabled):active:focus,.show>.btn-secondary.dropdown-toggle:focus{box-shadow:0 0 0 .2rem rgba(130,138,145,.5)}.btn-success{color:#fff;background-color:#28a745;border-color:#28a745}.btn-success:hover{color:#fff;background-color:#218838;border-color:#1e7e34}.btn-success.focus,.btn-success:focus{color:#fff;background-color:#218838;border-color:#1e7e34;box-shadow:0 0 0 .2rem rgba(72,180,97,.5)}.btn-success.disabled,.btn-success:disabled{color:#fff;background-color:#28a745;border-color:#28a745}.btn-success:not(:disabled):not(.disabled).active,.btn-success:not(:disabled):not(.disabled):active,.show>.btn-success.dropdown-toggle{color:#fff;background-color:#1e7e34;border-color:#1c7430}.btn-success:not(:disabled):not(.disabled).active:focus,.btn-success:not(:disabled):not(.disabled):active:focus,.show>.btn-success.dropdown-toggle:focus{box-shadow:0 0 0 .2rem rgba(72,180,97,.5)}.btn-info{color:#fff;background-color:#17a2b8;border-color:#17a2b8}.btn-info:hover{color:#fff;background-color:#138496;border-color:#117a8b}.btn-info.focus,.btn-info:focus{color:#fff;background-color:#138496;border-color:#117a8b;box-shadow:0 0 0 .2rem rgba(58,176,195,.5)}.btn-info.disabled,.btn-info:disabled{color:#fff;background-color:#17a2b8;border-color:#17a2b8}.btn-info:not(:disabled):not(.disabled).active,.btn-info:not(:disabled):not(.disabled):active,.show>.btn-info.dropdown-toggle{color:#fff;background-color:#117a8b;border-color:#10707f}.btn-info:not(:disabled):not(.disabled).active:focus,.btn-info:not(:disabled):not(.disabled):active:focus,.show>.btn-info.dropdown-toggle:focus{box-shadow:0 0 0 .2rem rgba(58,176,195,.5)}.btn-warning{color:#212529;background-color:#ffc107;border-color:#ffc107}.btn-warning:hover{color:#212529;background-color:#e0a800;border-color:#d39e00}.btn-warning.focus,.btn-warning:focus{color:#212529;background-color:#e0a800;border-color:#d39e00;box-shadow:0 0 0 .2rem rgba(222,170,12,.5)}.btn-warning.disabled,.btn-warning:disabled{color:#212529;background-color:#ffc107;border-color:#ffc107}.btn-warning:not(:disabled):not(.disabled).active,.btn-warning:not(:disabled):not(.disabled):active,.show>.btn-warning.dropdown-toggle{color:#212529;background-color:#d39e00;border-color:#c69500}.btn-warning:not(:disabled):not(.disabled).active:focus,.btn-warning:not(:disabled):not(.disabled):active:focus,.show>.btn-warning.dropdown-toggle:focus{box-shadow:0 0 0 .2rem rgba(222,170,12,.5)}.btn-danger{color:#fff;background-color:#dc3545;border-color:#dc3545}.btn-danger:hover{color:#fff;background-color:#c82333;border-color:#bd2130}.btn-danger.focus,.btn-danger:focus{color:#fff;background-color:#c82333;border-color:#bd2130;box-shadow:0 0 0 .2rem rgba(225,83,97,.5)}.btn-danger.disabled,.btn-danger:disabled{color:#fff;background-color:#dc3545;border-color:#dc3545}.btn-danger:not(:disabled):not(.disabled).active,.btn-danger:not(:disabled):not(.disabled):active,.show>.btn-danger.dropdown-toggle{color:#fff;background-color:#bd2130;border-color:#b21f2d}.btn-danger:not(:disabled):not(.disabled).active:focus,.btn-danger:not(:disabled):not(.disabled):active:focus,.show>.btn-danger.dropdown-toggle:focus{box-shadow:0 0 0 .2rem rgba(225,83,97,.5)}.btn-light{color:#212529;background-color:#f8f9fa;border-color:#f8f9fa}.btn-light:hover{color:#212529;background-color:#e2e6ea;border-color:#dae0e5}.btn-light.focus,.btn-light:focus{color:#212529;background-color:#e2e6ea;border-color:#dae0e5;box-shadow:0 0 0 .2rem rgba(216,217,219,.5)}.btn-light.disabled,.btn-light:disabled{color:#212529;background-color:#f8f9fa;border-color:#f8f9fa}.btn-light:not(:disabled):not(.disabled).active,.btn-light:not(:disabled):not(.disabled):active,.show>.btn-light.dropdown-toggle{color:#212529;background-color:#dae0e5;border-color:#d3d9df}.btn-light:not(:disabled):not(.disabled).active:focus,.btn-light:not(:disabled):not(.disabled):active:focus,.show>.btn-light.dropdown-toggle:focus{box-shadow:0 0 0 .2rem rgba(216,217,219,.5)}.btn-dark{color:#fff;background-color:#343a40;border-color:#343a40}.btn-dark:hover{color:#fff;background-color:#23272b;border-color:#1d2124}.btn-dark.focus,.btn-dark:focus{color:#fff;background-color:#23272b;border-color:#1d2124;box-shadow:0 0 0 .2rem rgba(82,88,93,.5)}.btn-dark.disabled,.btn-dark:disabled{color:#fff;background-color:#343a40;border-color:#343a40}.btn-dark:not(:disabled):not(.disabled).active,.btn-dark:not(:disabled):not(.disabled):active,.show>.btn-dark.dropdown-toggle{color:#fff;background-color:#1d2124;border-color:#171a1d}.btn-dark:not(:disabled):not(.disabled).active:focus,.btn-dark:not(:disabled):not(.disabled):active:focus,.show>.btn-dark.dropdown-toggle:focus{box-shadow:0 0 0 .2rem rgba(82,88,93,.5)}.btn-outline-primary{color:#007bff;border-color:#007bff}.btn-outline-primary:hover{color:#fff;background-color:#007bff;border-color:#007bff}.btn-outline-primary.focus,.btn-outline-primary:focus{box-shadow:0 0 0 .2rem rgba(0,123,255,.5)}.btn-outline-primary.disabled,.btn-outline-primary:disabled{color:#007bff;background-color:transparent}.btn-outline-primary:not(:disabled):not(.disabled).active,.btn-outline-primary:not(:disabled):not(.disabled):active,.show>.btn-outline-primary.dropdown-toggle{color:#fff;background-color:#007bff;border-color:#007bff}.btn-outline-primary:not(:disabled):not(.disabled).active:focus,.btn-outline-primary:not(:disabled):not(.disabled):active:focus,.show>.btn-outline-primary.dropdown-toggle:focus{box-shadow:0 0 0 .2rem rgba(0,123,255,.5)}.btn-outline-secondary{color:#6c757d;border-color:#6c757d}.btn-outline-secondary:hover{color:#fff;background-color:#6c757d;border-color:#6c757d}.btn-outline-secondary.focus,.btn-outline-secondary:focus{box-shadow:0 0 0 .2rem rgba(108,117,125,.5)}.btn-outline-secondary.disabled,.btn-outline-secondary:disabled{color:#6c757d;background-color:transparent}.btn-outline-secondary:not(:disabled):not(.disabled).active,.btn-outline-secondary:not(:disabled):not(.disabled):active,.show>.btn-outline-secondary.dropdown-toggle{color:#fff;background-color:#6c757d;border-color:#6c757d}.btn-outline-secondary:not(:disabled):not(.disabled).active:focus,.btn-outline-secondary:not(:disabled):not(.disabled):active:focus,.show>.btn-outline-secondary.dropdown-toggle:focus{box-shadow:0 0 0 .2rem rgba(108,117,125,.5)}.btn-outline-success{color:#28a745;border-color:#28a745}.btn-outline-success:hover{color:#fff;background-color:#28a745;border-color:#28a745}.btn-outline-success.focus,.btn-outline-success:focus{box-shadow:0 0 0 .2rem rgba(40,167,69,.5)}.btn-outline-success.disabled,.btn-outline-success:disabled{color:#28a745;background-color:transparent}.btn-outline-success:not(:disabled):not(.disabled).active,.btn-outline-success:not(:disabled):not(.disabled):active,.show>.btn-outline-success.dropdown-toggle{color:#fff;background-color:#28a745;border-color:#28a745}.btn-outline-success:not(:disabled):not(.disabled).active:focus,.btn-outline-success:not(:disabled):not(.disabled):active:focus,.show>.btn-outline-success.dropdown-toggle:focus{box-shadow:0 0 0 .2rem rgba(40,167,69,.5)}.btn-outline-info{color:#17a2b8;border-color:#17a2b8}.btn-outline-info:hover{color:#fff;background-color:#17a2b8;border-color:#17a2b8}.btn-outline-info.focus,.btn-outline-info:focus{box-shadow:0 0 0 .2rem rgba(23,162,184,.5)}.btn-outline-info.disabled,.btn-outline-info:disabled{color:#17a2b8;background-color:transparent}.btn-outline-info:not(:disabled):not(.disabled).active,.btn-outline-info:not(:disabled):not(.disabled):active,.show>.btn-outline-info.dropdown-toggle{color:#fff;background-color:#17a2b8;border-color:#17a2b8}.btn-outline-info:not(:disabled):not(.disabled).active:focus,.btn-outline-info:not(:disabled):not(.disabled):active:focus,.show>.btn-outline-info.dropdown-toggle:focus{box-shadow:0 0 0 .2rem rgba(23,162,184,.5)}.btn-outline-warning{color:#ffc107;border-color:#ffc107}.btn-outline-warning:hover{color:#212529;background-color:#ffc107;border-color:#ffc107}.btn-outline-warning.focus,.btn-outline-warning:focus{box-shadow:0 0 0 .2rem rgba(255,193,7,.5)}.btn-outline-warning.disabled,.btn-outline-warning:disabled{color:#ffc107;background-color:transparent}.btn-outline-warning:not(:disabled):not(.disabled).active,.btn-outline-warning:not(:disabled):not(.disabled):active,.show>.btn-outline-warning.dropdown-toggle{color:#212529;background-color:#ffc107;border-color:#ffc107}.btn-outline-warning:not(:disabled):not(.disabled).active:focus,.btn-outline-warning:not(:disabled):not(.disabled):active:focus,.show>.btn-outline-warning.dropdown-toggle:focus{box-shadow:0 0 0 .2rem rgba(255,193,7,.5)}.btn-outline-danger{color:#dc3545;border-color:#dc3545}.btn-outline-danger:hover{color:#fff;background-color:#dc3545;border-color:#dc3545}.btn-outline-danger.focus,.btn-outline-danger:focus{box-shadow:0 0 0 .2rem rgba(220,53,69,.5)}.btn-outline-danger.disabled,.btn-outline-danger:disabled{color:#dc3545;background-color:transparent}.btn-outline-danger:not(:disabled):not(.disabled).active,.btn-outline-danger:not(:disabled):not(.disabled):active,.show>.btn-outline-danger.dropdown-toggle{color:#fff;background-color:#dc3545;border-color:#dc3545}.btn-outline-danger:not(:disabled):not(.disabled).active:focus,.btn-outline-danger:not(:disabled):not(.disabled):active:focus,.show>.btn-outline-danger.dropdown-toggle:focus{box-shadow:0 0 0 .2rem rgba(220,53,69,.5)}.btn-outline-light{color:#f8f9fa;border-color:#f8f9fa}.btn-outline-light:hover{color:#212529;background-color:#f8f9fa;border-color:#f8f9fa}.btn-outline-light.focus,.btn-outline-light:focus{box-shadow:0 0 0 .2rem rgba(248,249,250,.5)}.btn-outline-light.disabled,.btn-outline-light:disabled{color:#f8f9fa;background-color:transparent}.btn-outline-light:not(:disabled):not(.disabled).active,.btn-outline-light:not(:disabled):not(.disabled):active,.show>.btn-outline-light.dropdown-toggle{color:#212529;background-color:#f8f9fa;border-color:#f8f9fa}.btn-outline-light:not(:disabled):not(.disabled).active:focus,.btn-outline-light:not(:disabled):not(.disabled):active:focus,.show>.btn-outline-light.dropdown-toggle:focus{box-shadow:0 0 0 .2rem rgba(248,249,250,.5)}.btn-outline-dark{color:#343a40;border-color:#343a40}.btn-outline-dark:hover{color:#fff;background-color:#343a40;border-color:#343a40}.btn-outline-dark.focus,.btn-outline-dark:focus{box-shadow:0 0 0 .2rem rgba(52,58,64,.5)}.btn-outline-dark.disabled,.btn-outline-dark:disabled{color:#343a40;background-color:transparent}.btn-outline-dark:not(:disabled):not(.disabled).active,.btn-outline-dark:not(:disabled):not(.disabled):active,.show>.btn-outline-dark.dropdown-toggle{color:#fff;background-color:#343a40;border-color:#343a40}.btn-outline-dark:not(:disabled):not(.disabled).active:focus,.btn-outline-dark:not(:disabled):not(.disabled):active:focus,.show>.btn-outline-dark.dropdown-toggle:focus{box-shadow:0 0 0 .2rem rgba(52,58,64,.5)}.btn-link{font-weight:400;color:#007bff;text-decoration:none}.btn-link:hover{color:#0056b3;text-decoration:underline}.btn-link.focus,.btn-link:focus{text-decoration:underline}.btn-link.disabled,.btn-link:disabled{color:#6c757d;pointer-events:none}.btn-group-lg>.btn,.btn-lg{padding:.5rem 1rem;font-size:1.25rem;line-height:1.5;border-radius:.3rem}.btn-group-sm>.btn,.btn-sm{padding:.25rem .5rem;font-size:.875rem;line-height:1.5;border-radius:.2rem}.btn-block{display:block;width:100%}.btn-block+.btn-block{margin-top:.5rem}input[type=button].btn-block,input[type=reset].btn-block,input[type=submit].btn-block{width:100%}.fade{transition:opacity .15s linear}@media (prefers-reduced-motion:reduce){.fade{transition:none}}.fade:not(.show){opacity:0}.collapse:not(.show){display:none}.collapsing{position:relative;height:0;overflow:hidden;transition:height .35s ease}@media (prefers-reduced-motion:reduce){.collapsing{transition:none}}.dropdown,.dropleft,.dropright,.dropup{position:relative}.dropdown-toggle{white-space:nowrap}.dropdown-toggle::after{display:inline-block;margin-left:.255em;vertical-align:.255em;content:"";border-top:.3em solid;border-right:.3em solid transparent;border-bottom:0;border-left:.3em solid transparent}.dropdown-toggle:empty::after{margin-left:0}.dropdown-menu{position:absolute;top:100%;left:0;z-index:1000;display:none;float:left;min-width:10rem;padding:.5rem 0;margin:.125rem 0 0;font-size:1rem;color:#212529;text-align:left;list-style:none;background-color:#fff;background-clip:padding-box;border:1px solid rgba(0,0,0,.15);border-radius:.25rem}.dropdown-menu-left{right:auto;left:0}.dropdown-menu-right{right:0;left:auto}@media (min-width:576px){.dropdown-menu-sm-left{right:auto;left:0}.dropdown-menu-sm-right{right:0;left:auto}}@media (min-width:768px){.dropdown-menu-md-left{right:auto;left:0}.dropdown-menu-md-right{right:0;left:auto}}@media (min-width:992px){.dropdown-menu-lg-left{right:auto;left:0}.dropdown-menu-lg-right{right:0;left:auto}}@media (min-width:1200px){.dropdown-menu-xl-left{right:auto;left:0}.dropdown-menu-xl-right{right:0;left:auto}}.dropup .dropdown-menu{top:auto;bottom:100%;margin-top:0;margin-bottom:.125rem}.dropup .dropdown-toggle::after{display:inline-block;margin-left:.255em;vertical-align:.255em;content:"";border-top:0;border-right:.3em solid transparent;border-bottom:.3em solid;border-left:.3em solid transparent}.dropup .dropdown-toggle:empty::after{margin-left:0}.dropright .dropdown-menu{top:0;right:auto;left:100%;margin-top:0;margin-left:.125rem}.dropright .dropdown-toggle::after{display:inline-block;margin-left:.255em;vertical-align:.255em;content:"";border-top:.3em solid transparent;border-right:0;border-bottom:.3em solid transparent;border-left:.3em solid}.dropright .dropdown-toggle:empty::after{margin-left:0}.dropright .dropdown-toggle::after{vertical-align:0}.dropleft .dropdown-menu{top:0;right:100%;left:auto;margin-top:0;margin-right:.125rem}.dropleft .dropdown-toggle::after{display:inline-block;margin-left:.255em;vertical-align:.255em;content:""}.dropleft .dropdown-toggle::after{display:none}.dropleft .dropdown-toggle::before{display:inline-block;margin-right:.255em;vertical-align:.255em;content:"";border-top:.3em solid transparent;border-right:.3em solid;border-bottom:.3em solid transparent}.dropleft .dropdown-toggle:empty::after{margin-left:0}.dropleft .dropdown-toggle::before{vertical-align:0}.dropdown-menu[x-placement^=bottom],.dropdown-menu[x-placement^=left],.dropdown-menu[x-placement^=right],.dropdown-menu[x-placement^=top]{right:auto;bottom:auto}.dropdown-divider{height:0;margin:.5rem 0;overflow:hidden;border-top:1px solid #e9ecef}.dropdown-item{display:block;width:100%;padding:.25rem 1.5rem;clear:both;font-weight:400;color:#212529;text-align:inherit;white-space:nowrap;background-color:transparent;border:0}.dropdown-item:focus,.dropdown-item:hover{color:#16181b;text-decoration:none;background-color:#f8f9fa}.dropdown-item.active,.dropdown-item:active{color:#fff;text-decoration:none;background-color:#007bff}.dropdown-item.disabled,.dropdown-item:disabled{color:#6c757d;pointer-events:none;background-color:transparent}.dropdown-menu.show{display:block}.dropdown-header{display:block;padding:.5rem 1.5rem;margin-bottom:0;font-size:.875rem;color:#6c757d;white-space:nowrap}.dropdown-item-text{display:block;padding:.25rem 1.5rem;color:#212529}.btn-group,.btn-group-vertical{position:relative;display:-ms-inline-flexbox;display:inline-flex;vertical-align:middle}.btn-group-vertical>.btn,.btn-group>.btn{position:relative;-ms-flex:1 1 auto;flex:1 1 auto}.btn-group-vertical>.btn:hover,.btn-group>.btn:hover{z-index:1}.btn-group-vertical>.btn.active,.btn-group-vertical>.btn:active,.btn-group-vertical>.btn:focus,.btn-group>.btn.active,.btn-group>.btn:active,.btn-group>.btn:focus{z-index:1}.btn-toolbar{display:-ms-flexbox;display:flex;-ms-flex-wrap:wrap;flex-wrap:wrap;-ms-flex-pack:start;justify-content:flex-start}.btn-toolbar .input-group{width:auto}.btn-group>.btn-group:not(:first-child),.btn-group>.btn:not(:first-child){margin-left:-1px}.btn-group>.btn-group:not(:last-child)>.btn,.btn-group>.btn:not(:last-child):not(.dropdown-toggle){border-top-right-radius:0;border-bottom-right-radius:0}.btn-group>.btn-group:not(:first-child)>.btn,.btn-group>.btn:not(:first-child){border-top-left-radius:0;border-bottom-left-radius:0}.dropdown-toggle-split{padding-right:.5625rem;padding-left:.5625rem}.dropdown-toggle-split::after,.dropright .dropdown-toggle-split::after,.dropup .dropdown-toggle-split::after{margin-left:0}.dropleft .dropdown-toggle-split::before{margin-right:0}.btn-group-sm>.btn+.dropdown-toggle-split,.btn-sm+.dropdown-toggle-split{padding-right:.375rem;padding-left:.375rem}.btn-group-lg>.btn+.dropdown-toggle-split,.btn-lg+.dropdown-toggle-split{padding-right:.75rem;padding-left:.75rem}.btn-group-vertical{-ms-flex-direction:column;flex-direction:column;-ms-flex-align:start;align-items:flex-start;-ms-flex-pack:center;justify-content:center}.btn-group-vertical>.btn,.btn-group-vertical>.btn-group{width:100%}.btn-group-vertical>.btn-group:not(:first-child),.btn-group-vertical>.btn:not(:first-child){margin-top:-1px}.btn-group-vertical>.btn-group:not(:last-child)>.btn,.btn-group-vertical>.btn:not(:last-child):not(.dropdown-toggle){border-bottom-right-radius:0;border-bottom-left-radius:0}.btn-group-vertical>.btn-group:not(:first-child)>.btn,.btn-group-vertical>.btn:not(:first-child){border-top-left-radius:0;border-top-right-radius:0}.btn-group-toggle>.btn,.btn-group-toggle>.btn-group>.btn{margin-bottom:0}.btn-group-toggle>.btn input[type=checkbox],.btn-group-toggle>.btn input[type=radio],.btn-group-toggle>.btn-group>.btn input[type=checkbox],.btn-group-toggle>.btn-group>.btn input[type=radio]{position:absolute;clip:rect(0,0,0,0);pointer-events:none}.input-group{position:relative;display:-ms-flexbox;display:flex;-ms-flex-wrap:wrap;flex-wrap:wrap;-ms-flex-align:stretch;align-items:stretch;width:100%}.input-group>.custom-file,.input-group>.custom-select,.input-group>.form-control,.input-group>.form-control-plaintext{position:relative;-ms-flex:1 1 auto;flex:1 1 auto;width:1%;min-width:0;margin-bottom:0}.input-group>.custom-file+.custom-file,.input-group>.custom-file+.custom-select,.input-group>.custom-file+.form-control,.input-group>.custom-select+.custom-file,.input-group>.custom-select+.custom-select,.input-group>.custom-select+.form-control,.input-group>.form-control+.custom-file,.input-group>.form-control+.custom-select,.input-group>.form-control+.form-control,.input-group>.form-control-plaintext+.custom-file,.input-group>.form-control-plaintext+.custom-select,.input-group>.form-control-plaintext+.form-control{margin-left:-1px}.input-group>.custom-file .custom-file-input:focus~.custom-file-label,.input-group>.custom-select:focus,.input-group>.form-control:focus{z-index:3}.input-group>.custom-file .custom-file-input:focus{z-index:4}.input-group>.custom-select:not(:last-child),.input-group>.form-control:not(:last-child){border-top-right-radius:0;border-bottom-right-radius:0}.input-group>.custom-select:not(:first-child),.input-group>.form-control:not(:first-child){border-top-left-radius:0;border-bottom-left-radius:0}.input-group>.custom-file{display:-ms-flexbox;display:flex;-ms-flex-align:center;align-items:center}.input-group>.custom-file:not(:last-child) .custom-file-label,.input-group>.custom-file:not(:last-child) .custom-file-label::after{border-top-right-radius:0;border-bottom-right-radius:0}.input-group>.custom-file:not(:first-child) .custom-file-label{border-top-left-radius:0;border-bottom-left-radius:0}.input-group-append,.input-group-prepend{display:-ms-flexbox;display:flex}.input-group-append .btn,.input-group-prepend .btn{position:relative;z-index:2}.input-group-append .btn:focus,.input-group-prepend .btn:focus{z-index:3}.input-group-append .btn+.btn,.input-group-append .btn+.input-group-text,.input-group-append .input-group-text+.btn,.input-group-append .input-group-text+.input-group-text,.input-group-prepend .btn+.btn,.input-group-prepend .btn+.input-group-text,.input-group-prepend .input-group-text+.btn,.input-group-prepend .input-group-text+.input-group-text{margin-left:-1px}.input-group-prepend{margin-right:-1px}.input-group-append{margin-left:-1px}.input-group-text{display:-ms-flexbox;display:flex;-ms-flex-align:center;align-items:center;padding:.375rem .75rem;margin-bottom:0;font-size:1rem;font-weight:400;line-height:1.5;color:#495057;text-align:center;white-space:nowrap;background-color:#e9ecef;border:1px solid #ced4da;border-radius:.25rem}.input-group-text input[type=checkbox],.input-group-text input[type=radio]{margin-top:0}.input-group-lg>.custom-select,.input-group-lg>.form-control:not(textarea){height:calc(1.5em + 1rem + 2px)}.input-group-lg>.custom-select,.input-group-lg>.form-control,.input-group-lg>.input-group-append>.btn,.input-group-lg>.input-group-append>.input-group-text,.input-group-lg>.input-group-prepend>.btn,.input-group-lg>.input-group-prepend>.input-group-text{padding:.5rem 1rem;font-size:1.25rem;line-height:1.5;border-radius:.3rem}.input-group-sm>.custom-select,.input-group-sm>.form-control:not(textarea){height:calc(1.5em + .5rem + 2px)}.input-group-sm>.custom-select,.input-group-sm>.form-control,.input-group-sm>.input-group-append>.btn,.input-group-sm>.input-group-append>.input-group-text,.input-group-sm>.input-group-prepend>.btn,.input-group-sm>.input-group-prepend>.input-group-text{padding:.25rem .5rem;font-size:.875rem;line-height:1.5;border-radius:.2rem}.input-group-lg>.custom-select,.input-group-sm>.custom-select{padding-right:1.75rem}.input-group>.input-group-append:last-child>.btn:not(:last-child):not(.dropdown-toggle),.input-group>.input-group-append:last-child>.input-group-text:not(:last-child),.input-group>.input-group-append:not(:last-child)>.btn,.input-group>.input-group-append:not(:last-child)>.input-group-text,.input-group>.input-group-prepend>.btn,.input-group>.input-group-prepend>.input-group-text{border-top-right-radius:0;border-bottom-right-radius:0}.input-group>.input-group-append>.btn,.input-group>.input-group-append>.input-group-text,.input-group>.input-group-prepend:first-child>.btn:not(:first-child),.input-group>.input-group-prepend:first-child>.input-group-text:not(:first-child),.input-group>.input-group-prepend:not(:first-child)>.btn,.input-group>.input-group-prepend:not(:first-child)>.input-group-text{border-top-left-radius:0;border-bottom-left-radius:0}.custom-control{position:relative;display:block;min-height:1.5rem;padding-left:1.5rem}.custom-control-inline{display:-ms-inline-flexbox;display:inline-flex;margin-right:1rem}.custom-control-input{position:absolute;left:0;z-index:-1;width:1rem;height:1.25rem;opacity:0}.custom-control-input:checked~.custom-control-label::before{color:#fff;border-color:#007bff;background-color:#007bff}.custom-control-input:focus~.custom-control-label::before{box-shadow:0 0 0 .2rem rgba(0,123,255,.25)}.custom-control-input:focus:not(:checked)~.custom-control-label::before{border-color:#80bdff}.custom-control-input:not(:disabled):active~.custom-control-label::before{color:#fff;background-color:#b3d7ff;border-color:#b3d7ff}.custom-control-input:disabled~.custom-control-label,.custom-control-input[disabled]~.custom-control-label{color:#6c757d}.custom-control-input:disabled~.custom-control-label::before,.custom-control-input[disabled]~.custom-control-label::before{background-color:#e9ecef}.custom-control-label{position:relative;margin-bottom:0;vertical-align:top}.custom-control-label::before{position:absolute;top:.25rem;left:-1.5rem;display:block;width:1rem;height:1rem;pointer-events:none;content:"";background-color:#fff;border:#adb5bd solid 1px}.custom-control-label::after{position:absolute;top:.25rem;left:-1.5rem;display:block;width:1rem;height:1rem;content:"";background:no-repeat 50%/50% 50%}.custom-checkbox .custom-control-label::before{border-radius:.25rem}.custom-checkbox .custom-control-input:checked~.custom-control-label::after{background-image:url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='8' height='8' viewBox='0 0 8 8'%3e%3cpath fill='%23fff' d='M6.564.75l-3.59 3.612-1.538-1.55L0 4.26l2.974 2.99L8 2.193z'/%3e%3c/svg%3e")}.custom-checkbox .custom-control-input:indeterminate~.custom-control-label::before{border-color:#007bff;background-color:#007bff}.custom-checkbox .custom-control-input:indeterminate~.custom-control-label::after{background-image:url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='4' height='4' viewBox='0 0 4 4'%3e%3cpath stroke='%23fff' d='M0 2h4'/%3e%3c/svg%3e")}.custom-checkbox .custom-control-input:disabled:checked~.custom-control-label::before{background-color:rgba(0,123,255,.5)}.custom-checkbox .custom-control-input:disabled:indeterminate~.custom-control-label::before{background-color:rgba(0,123,255,.5)}.custom-radio .custom-control-label::before{border-radius:50%}.custom-radio .custom-control-input:checked~.custom-control-label::after{background-image:url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='12' height='12' viewBox='-4 -4 8 8'%3e%3ccircle r='3' fill='%23fff'/%3e%3c/svg%3e")}.custom-radio .custom-control-input:disabled:checked~.custom-control-label::before{background-color:rgba(0,123,255,.5)}.custom-switch{padding-left:2.25rem}.custom-switch .custom-control-label::before{left:-2.25rem;width:1.75rem;pointer-events:all;border-radius:.5rem}.custom-switch .custom-control-label::after{top:calc(.25rem + 2px);left:calc(-2.25rem + 2px);width:calc(1rem - 4px);height:calc(1rem - 4px);background-color:#adb5bd;border-radius:.5rem;transition:background-color .15s ease-in-out,border-color .15s ease-in-out,box-shadow .15s ease-in-out,-webkit-transform .15s ease-in-out;transition:transform .15s ease-in-out,background-color .15s ease-in-out,border-color .15s ease-in-out,box-shadow .15s ease-in-out;transition:transform .15s ease-in-out,background-color .15s ease-in-out,border-color .15s ease-in-out,box-shadow .15s ease-in-out,-webkit-transform .15s ease-in-out}@media (prefers-reduced-motion:reduce){.custom-switch .custom-control-label::after{transition:none}}.custom-switch .custom-control-input:checked~.custom-control-label::after{background-color:#fff;-webkit-transform:translateX(.75rem);transform:translateX(.75rem)}.custom-switch .custom-control-input:disabled:checked~.custom-control-label::before{background-color:rgba(0,123,255,.5)}.custom-select{display:inline-block;width:100%;height:calc(1.5em + .75rem + 2px);padding:.375rem 1.75rem .375rem .75rem;font-size:1rem;font-weight:400;line-height:1.5;color:#495057;vertical-align:middle;background:#fff url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='4' height='5' viewBox='0 0 4 5'%3e%3cpath fill='%23343a40' d='M2 0L0 2h4zm0 5L0 3h4z'/%3e%3c/svg%3e") no-repeat right .75rem center/8px 10px;border:1px solid #ced4da;border-radius:.25rem;-webkit-appearance:none;-moz-appearance:none;appearance:none}.custom-select:focus{border-color:#80bdff;outline:0;box-shadow:0 0 0 .2rem rgba(0,123,255,.25)}.custom-select:focus::-ms-value{color:#495057;background-color:#fff}.custom-select[multiple],.custom-select[size]:not([size="1"]){height:auto;padding-right:.75rem;background-image:none}.custom-select:disabled{color:#6c757d;background-color:#e9ecef}.custom-select::-ms-expand{display:none}.custom-select:-moz-focusring{color:transparent;text-shadow:0 0 0 #495057}.custom-select-sm{height:calc(1.5em + .5rem + 2px);padding-top:.25rem;padding-bottom:.25rem;padding-left:.5rem;font-size:.875rem}.custom-select-lg{height:calc(1.5em + 1rem + 2px);padding-top:.5rem;padding-bottom:.5rem;padding-left:1rem;font-size:1.25rem}.custom-file{position:relative;display:inline-block;width:100%;height:calc(1.5em + .75rem + 2px);margin-bottom:0}.custom-file-input{position:relative;z-index:2;width:100%;height:calc(1.5em + .75rem + 2px);margin:0;opacity:0}.custom-file-input:focus~.custom-file-label{border-color:#80bdff;box-shadow:0 0 0 .2rem rgba(0,123,255,.25)}.custom-file-input:disabled~.custom-file-label,.custom-file-input[disabled]~.custom-file-label{background-color:#e9ecef}.custom-file-input:lang(en)~.custom-file-label::after{content:"Browse"}.custom-file-input~.custom-file-label[data-browse]::after{content:attr(data-browse)}.custom-file-label{position:absolute;top:0;right:0;left:0;z-index:1;height:calc(1.5em + .75rem + 2px);padding:.375rem .75rem;font-weight:400;line-height:1.5;color:#495057;background-color:#fff;border:1px solid #ced4da;border-radius:.25rem}.custom-file-label::after{position:absolute;top:0;right:0;bottom:0;z-index:3;display:block;height:calc(1.5em + .75rem);padding:.375rem .75rem;line-height:1.5;color:#495057;content:"Browse";background-color:#e9ecef;border-left:inherit;border-radius:0 .25rem .25rem 0}.custom-range{width:100%;height:1.4rem;padding:0;background-color:transparent;-webkit-appearance:none;-moz-appearance:none;appearance:none}.custom-range:focus{outline:0}.custom-range:focus::-webkit-slider-thumb{box-shadow:0 0 0 1px #fff,0 0 0 .2rem rgba(0,123,255,.25)}.custom-range:focus::-moz-range-thumb{box-shadow:0 0 0 1px #fff,0 0 0 .2rem rgba(0,123,255,.25)}.custom-range:focus::-ms-thumb{box-shadow:0 0 0 1px #fff,0 0 0 .2rem rgba(0,123,255,.25)}.custom-range::-moz-focus-outer{border:0}.custom-range::-webkit-slider-thumb{width:1rem;height:1rem;margin-top:-.25rem;background-color:#007bff;border:0;border-radius:1rem;-webkit-transition:background-color .15s ease-in-out,border-color .15s ease-in-out,box-shadow .15s ease-in-out;transition:background-color .15s ease-in-out,border-color .15s ease-in-out,box-shadow .15s ease-in-out;-webkit-appearance:none;appearance:none}@media (prefers-reduced-motion:reduce){.custom-range::-webkit-slider-thumb{-webkit-transition:none;transition:none}}.custom-range::-webkit-slider-thumb:active{background-color:#b3d7ff}.custom-range::-webkit-slider-runnable-track{width:100%;height:.5rem;color:transparent;cursor:pointer;background-color:#dee2e6;border-color:transparent;border-radius:1rem}.custom-range::-moz-range-thumb{width:1rem;height:1rem;background-color:#007bff;border:0;border-radius:1rem;-moz-transition:background-color .15s ease-in-out,border-color .15s ease-in-out,box-shadow .15s ease-in-out;transition:background-color .15s ease-in-out,border-color .15s ease-in-out,box-shadow .15s ease-in-out;-moz-appearance:none;appearance:none}@media (prefers-reduced-motion:reduce){.custom-range::-moz-range-thumb{-moz-transition:none;transition:none}}.custom-range::-moz-range-thumb:active{background-color:#b3d7ff}.custom-range::-moz-range-track{width:100%;height:.5rem;color:transparent;cursor:pointer;background-color:#dee2e6;border-color:transparent;border-radius:1rem}.custom-range::-ms-thumb{width:1rem;height:1rem;margin-top:0;margin-right:.2rem;margin-left:.2rem;background-color:#007bff;border:0;border-radius:1rem;-ms-transition:background-color .15s ease-in-out,border-color .15s ease-in-out,box-shadow .15s ease-in-out;transition:background-color .15s ease-in-out,border-color .15s ease-in-out,box-shadow .15s ease-in-out;appearance:none}@media (prefers-reduced-motion:reduce){.custom-range::-ms-thumb{-ms-transition:none;transition:none}}.custom-range::-ms-thumb:active{background-color:#b3d7ff}.custom-range::-ms-track{width:100%;height:.5rem;color:transparent;cursor:pointer;background-color:transparent;border-color:transparent;border-width:.5rem}.custom-range::-ms-fill-lower{background-color:#dee2e6;border-radius:1rem}.custom-range::-ms-fill-upper{margin-right:15px;background-color:#dee2e6;border-radius:1rem}.custom-range:disabled::-webkit-slider-thumb{background-color:#adb5bd}.custom-range:disabled::-webkit-slider-runnable-track{cursor:default}.custom-range:disabled::-moz-range-thumb{background-color:#adb5bd}.custom-range:disabled::-moz-range-track{cursor:default}.custom-range:disabled::-ms-thumb{background-color:#adb5bd}.custom-control-label::before,.custom-file-label,.custom-select{transition:background-color .15s ease-in-out,border-color .15s ease-in-out,box-shadow .15s ease-in-out}@media (prefers-reduced-motion:reduce){.custom-control-label::before,.custom-file-label,.custom-select{transition:none}}.nav{display:-ms-flexbox;display:flex;-ms-flex-wrap:wrap;flex-wrap:wrap;padding-left:0;margin-bottom:0;list-style:none}.nav-link{display:block;padding:.5rem 1rem}.nav-link:focus,.nav-link:hover{text-decoration:none}.nav-link.disabled{color:#6c757d;pointer-events:none;cursor:default}.nav-tabs{border-bottom:1px solid #dee2e6}.nav-tabs .nav-item{margin-bottom:-1px}.nav-tabs .nav-link{border:1px solid transparent;border-top-left-radius:.25rem;border-top-right-radius:.25rem}.nav-tabs .nav-link:focus,.nav-tabs .nav-link:hover{border-color:#e9ecef #e9ecef #dee2e6}.nav-tabs .nav-link.disabled{color:#6c757d;background-color:transparent;border-color:transparent}.nav-tabs .nav-item.show .nav-link,.nav-tabs .nav-link.active{color:#495057;background-color:#fff;border-color:#dee2e6 #dee2e6 #fff}.nav-tabs .dropdown-menu{margin-top:-1px;border-top-left-radius:0;border-top-right-radius:0}.nav-pills .nav-link{border-radius:.25rem}.nav-pills .nav-link.active,.nav-pills .show>.nav-link{color:#fff;background-color:#007bff}.nav-fill .nav-item{-ms-flex:1 1 auto;flex:1 1 auto;text-align:center}.nav-justified .nav-item{-ms-flex-preferred-size:0;flex-basis:0;-ms-flex-positive:1;flex-grow:1;text-align:center}.tab-content>.tab-pane{display:none}.tab-content>.active{display:block}.navbar{position:relative;display:-ms-flexbox;display:flex;-ms-flex-wrap:wrap;flex-wrap:wrap;-ms-flex-align:center;align-items:center;-ms-flex-pack:justify;justify-content:space-between;padding:.5rem 1rem}.navbar .container,.navbar .container-fluid,.navbar .container-lg,.navbar .container-md,.navbar .container-sm,.navbar .container-xl{display:-ms-flexbox;display:flex;-ms-flex-wrap:wrap;flex-wrap:wrap;-ms-flex-align:center;align-items:center;-ms-flex-pack:justify;justify-content:space-between}.navbar-brand{display:inline-block;padding-top:.3125rem;padding-bottom:.3125rem;margin-right:1rem;font-size:1.25rem;line-height:inherit;white-space:nowrap}.navbar-brand:focus,.navbar-brand:hover{text-decoration:none}.navbar-nav{display:-ms-flexbox;display:flex;-ms-flex-direction:column;flex-direction:column;padding-left:0;margin-bottom:0;list-style:none}.navbar-nav .nav-link{padding-right:0;padding-left:0}.navbar-nav .dropdown-menu{position:static;float:none}.navbar-text{display:inline-block;padding-top:.5rem;padding-bottom:.5rem}.navbar-collapse{-ms-flex-preferred-size:100%;flex-basis:100%;-ms-flex-positive:1;flex-grow:1;-ms-flex-align:center;align-items:center}.navbar-toggler{padding:.25rem .75rem;font-size:1.25rem;line-height:1;background-color:transparent;border:1px solid transparent;border-radius:.25rem}.navbar-toggler:focus,.navbar-toggler:hover{text-decoration:none}.navbar-toggler-icon{display:inline-block;width:1.5em;height:1.5em;vertical-align:middle;content:"";background:no-repeat center center;background-size:100% 100%}@media (max-width:575.98px){.navbar-expand-sm>.container,.navbar-expand-sm>.container-fluid,.navbar-expand-sm>.container-lg,.navbar-expand-sm>.container-md,.navbar-expand-sm>.container-sm,.navbar-expand-sm>.container-xl{padding-right:0;padding-left:0}}@media (min-width:576px){.navbar-expand-sm{-ms-flex-flow:row nowrap;flex-flow:row nowrap;-ms-flex-pack:start;justify-content:flex-start}.navbar-expand-sm .navbar-nav{-ms-flex-direction:row;flex-direction:row}.navbar-expand-sm .navbar-nav .dropdown-menu{position:absolute}.navbar-expand-sm .navbar-nav .nav-link{padding-right:.5rem;padding-left:.5rem}.navbar-expand-sm>.container,.navbar-expand-sm>.container-fluid,.navbar-expand-sm>.container-lg,.navbar-expand-sm>.container-md,.navbar-expand-sm>.container-sm,.navbar-expand-sm>.container-xl{-ms-flex-wrap:nowrap;flex-wrap:nowrap}.navbar-expand-sm .navbar-collapse{display:-ms-flexbox!important;display:flex!important;-ms-flex-preferred-size:auto;flex-basis:auto}.navbar-expand-sm .navbar-toggler{display:none}}@media (max-width:767.98px){.navbar-expand-md>.container,.navbar-expand-md>.container-fluid,.navbar-expand-md>.container-lg,.navbar-expand-md>.container-md,.navbar-expand-md>.container-sm,.navbar-expand-md>.container-xl{padding-right:0;padding-left:0}}@media (min-width:768px){.navbar-expand-md{-ms-flex-flow:row nowrap;flex-flow:row nowrap;-ms-flex-pack:start;justify-content:flex-start}.navbar-expand-md .navbar-nav{-ms-flex-direction:row;flex-direction:row}.navbar-expand-md .navbar-nav .dropdown-menu{position:absolute}.navbar-expand-md .navbar-nav .nav-link{padding-right:.5rem;padding-left:.5rem}.navbar-expand-md>.container,.navbar-expand-md>.container-fluid,.navbar-expand-md>.container-lg,.navbar-expand-md>.container-md,.navbar-expand-md>.container-sm,.navbar-expand-md>.container-xl{-ms-flex-wrap:nowrap;flex-wrap:nowrap}.navbar-expand-md .navbar-collapse{display:-ms-flexbox!important;display:flex!important;-ms-flex-preferred-size:auto;flex-basis:auto}.navbar-expand-md .navbar-toggler{display:none}}@media (max-width:991.98px){.navbar-expand-lg>.container,.navbar-expand-lg>.container-fluid,.navbar-expand-lg>.container-lg,.navbar-expand-lg>.container-md,.navbar-expand-lg>.container-sm,.navbar-expand-lg>.container-xl{padding-right:0;padding-left:0}}@media (min-width:992px){.navbar-expand-lg{-ms-flex-flow:row nowrap;flex-flow:row nowrap;-ms-flex-pack:start;justify-content:flex-start}.navbar-expand-lg .navbar-nav{-ms-flex-direction:row;flex-direction:row}.navbar-expand-lg .navbar-nav .dropdown-menu{position:absolute}.navbar-expand-lg .navbar-nav .nav-link{padding-right:.5rem;padding-left:.5rem}.navbar-expand-lg>.container,.navbar-expand-lg>.container-fluid,.navbar-expand-lg>.container-lg,.navbar-expand-lg>.container-md,.navbar-expand-lg>.container-sm,.navbar-expand-lg>.container-xl{-ms-flex-wrap:nowrap;flex-wrap:nowrap}.navbar-expand-lg .navbar-collapse{display:-ms-flexbox!important;display:flex!important;-ms-flex-preferred-size:auto;flex-basis:auto}.navbar-expand-lg .navbar-toggler{display:none}}@media (max-width:1199.98px){.navbar-expand-xl>.container,.navbar-expand-xl>.container-fluid,.navbar-expand-xl>.container-lg,.navbar-expand-xl>.container-md,.navbar-expand-xl>.container-sm,.navbar-expand-xl>.container-xl{padding-right:0;padding-left:0}}@media (min-width:1200px){.navbar-expand-xl{-ms-flex-flow:row nowrap;flex-flow:row nowrap;-ms-flex-pack:start;justify-content:flex-start}.navbar-expand-xl .navbar-nav{-ms-flex-direction:row;flex-direction:row}.navbar-expand-xl .navbar-nav .dropdown-menu{position:absolute}.navbar-expand-xl .navbar-nav .nav-link{padding-right:.5rem;padding-left:.5rem}.navbar-expand-xl>.container,.navbar-expand-xl>.container-fluid,.navbar-expand-xl>.container-lg,.navbar-expand-xl>.container-md,.navbar-expand-xl>.container-sm,.navbar-expand-xl>.container-xl{-ms-flex-wrap:nowrap;flex-wrap:nowrap}.navbar-expand-xl .navbar-collapse{display:-ms-flexbox!important;display:flex!important;-ms-flex-preferred-size:auto;flex-basis:auto}.navbar-expand-xl .navbar-toggler{display:none}}.navbar-expand{-ms-flex-flow:row nowrap;flex-flow:row nowrap;-ms-flex-pack:start;justify-content:flex-start}.navbar-expand>.container,.navbar-expand>.container-fluid,.navbar-expand>.container-lg,.navbar-expand>.container-md,.navbar-expand>.container-sm,.navbar-expand>.container-xl{padding-right:0;padding-left:0}.navbar-expand .navbar-nav{-ms-flex-direction:row;flex-direction:row}.navbar-expand .navbar-nav .dropdown-menu{position:absolute}.navbar-expand .navbar-nav .nav-link{padding-right:.5rem;padding-left:.5rem}.navbar-expand>.container,.navbar-expand>.container-fluid,.navbar-expand>.container-lg,.navbar-expand>.container-md,.navbar-expand>.container-sm,.navbar-expand>.container-xl{-ms-flex-wrap:nowrap;flex-wrap:nowrap}.navbar-expand .navbar-collapse{display:-ms-flexbox!important;display:flex!important;-ms-flex-preferred-size:auto;flex-basis:auto}.navbar-expand .navbar-toggler{display:none}.navbar-light .navbar-brand{color:rgba(0,0,0,.9)}.navbar-light .navbar-brand:focus,.navbar-light .navbar-brand:hover{color:rgba(0,0,0,.9)}.navbar-light .navbar-nav .nav-link{color:rgba(0,0,0,.5)}.navbar-light .navbar-nav .nav-link:focus,.navbar-light .navbar-nav .nav-link:hover{color:rgba(0,0,0,.7)}.navbar-light .navbar-nav .nav-link.disabled{color:rgba(0,0,0,.3)}.navbar-light .navbar-nav .active>.nav-link,.navbar-light .navbar-nav .nav-link.active,.navbar-light .navbar-nav .nav-link.show,.navbar-light .navbar-nav .show>.nav-link{color:rgba(0,0,0,.9)}.navbar-light .navbar-toggler{color:rgba(0,0,0,.5);border-color:rgba(0,0,0,.1)}.navbar-light .navbar-toggler-icon{background-image:url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='30' height='30' viewBox='0 0 30 30'%3e%3cpath stroke='rgba%280, 0, 0, 0.5%29' stroke-linecap='round' stroke-miterlimit='10' stroke-width='2' d='M4 7h22M4 15h22M4 23h22'/%3e%3c/svg%3e")}.navbar-light .navbar-text{color:rgba(0,0,0,.5)}.navbar-light .navbar-text a{color:rgba(0,0,0,.9)}.navbar-light .navbar-text a:focus,.navbar-light .navbar-text a:hover{color:rgba(0,0,0,.9)}.navbar-dark .navbar-brand{color:#fff}.navbar-dark .navbar-brand:focus,.navbar-dark .navbar-brand:hover{color:#fff}.navbar-dark .navbar-nav .nav-link{color:rgba(255,255,255,.5)}.navbar-dark .navbar-nav .nav-link:focus,.navbar-dark .navbar-nav .nav-link:hover{color:rgba(255,255,255,.75)}.navbar-dark .navbar-nav .nav-link.disabled{color:rgba(255,255,255,.25)}.navbar-dark .navbar-nav .active>.nav-link,.navbar-dark .navbar-nav .nav-link.active,.navbar-dark .navbar-nav .nav-link.show,.navbar-dark .navbar-nav .show>.nav-link{color:#fff}.navbar-dark .navbar-toggler{color:rgba(255,255,255,.5);border-color:rgba(255,255,255,.1)}.navbar-dark .navbar-toggler-icon{background-image:url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' width='30' height='30' viewBox='0 0 30 30'%3e%3cpath stroke='rgba%28255, 255, 255, 0.5%29' stroke-linecap='round' stroke-miterlimit='10' stroke-width='2' d='M4 7h22M4 15h22M4 23h22'/%3e%3c/svg%3e")}.navbar-dark .navbar-text{color:rgba(255,255,255,.5)}.navbar-dark .navbar-text a{color:#fff}.navbar-dark .navbar-text a:focus,.navbar-dark .navbar-text a:hover{color:#fff}.card{position:relative;display:-ms-flexbox;display:flex;-ms-flex-direction:column;flex-direction:column;min-width:0;word-wrap:break-word;background-color:#fff;background-clip:border-box;border:1px solid rgba(0,0,0,.125);border-radius:.25rem}.card>hr{margin-right:0;margin-left:0}.card>.list-group{border-top:inherit;border-bottom:inherit}.card>.list-group:first-child{border-top-width:0;border-top-left-radius:calc(.25rem - 1px);border-top-right-radius:calc(.25rem - 1px)}.card>.list-group:last-child{border-bottom-width:0;border-bottom-right-radius:calc(.25rem - 1px);border-bottom-left-radius:calc(.25rem - 1px)}.card-body{-ms-flex:1 1 auto;flex:1 1 auto;min-height:1px;padding:1.25rem}.card-title{margin-bottom:.75rem}.card-subtitle{margin-top:-.375rem;margin-bottom:0}.card-text:last-child{margin-bottom:0}.card-link:hover{text-decoration:none}.card-link+.card-link{margin-left:1.25rem}.card-header{padding:.75rem 1.25rem;margin-bottom:0;background-color:rgba(0,0,0,.03);border-bottom:1px solid rgba(0,0,0,.125)}.card-header:first-child{border-radius:calc(.25rem - 1px) calc(.25rem - 1px) 0 0}.card-header+.list-group .list-group-item:first-child{border-top:0}.card-footer{padding:.75rem 1.25rem;background-color:rgba(0,0,0,.03);border-top:1px solid rgba(0,0,0,.125)}.card-footer:last-child{border-radius:0 0 calc(.25rem - 1px) calc(.25rem - 1px)}.card-header-tabs{margin-right:-.625rem;margin-bottom:-.75rem;margin-left:-.625rem;border-bottom:0}.card-header-pills{margin-right:-.625rem;margin-left:-.625rem}.card-img-overlay{position:absolute;top:0;right:0;bottom:0;left:0;padding:1.25rem}.card-img,.card-img-bottom,.card-img-top{-ms-flex-negative:0;flex-shrink:0;width:100%}.card-img,.card-img-top{border-top-left-radius:calc(.25rem - 1px);border-top-right-radius:calc(.25rem - 1px)}.card-img,.card-img-bottom{border-bottom-right-radius:calc(.25rem - 1px);border-bottom-left-radius:calc(.25rem - 1px)}.card-deck .card{margin-bottom:15px}@media (min-width:576px){.card-deck{display:-ms-flexbox;display:flex;-ms-flex-flow:row wrap;flex-flow:row wrap;margin-right:-15px;margin-left:-15px}.card-deck .card{-ms-flex:1 0 0%;flex:1 0 0%;margin-right:15px;margin-bottom:0;margin-left:15px}}.card-group>.card{margin-bottom:15px}@media (min-width:576px){.card-group{display:-ms-flexbox;display:flex;-ms-flex-flow:row wrap;flex-flow:row wrap}.card-group>.card{-ms-flex:1 0 0%;flex:1 0 0%;margin-bottom:0}.card-group>.card+.card{margin-left:0;border-left:0}.card-group>.card:not(:last-child){border-top-right-radius:0;border-bottom-right-radius:0}.card-group>.card:not(:last-child) .card-header,.card-group>.card:not(:last-child) .card-img-top{border-top-right-radius:0}.card-group>.card:not(:last-child) .card-footer,.card-group>.card:not(:last-child) .card-img-bottom{border-bottom-right-radius:0}.card-group>.card:not(:first-child){border-top-left-radius:0;border-bottom-left-radius:0}.card-group>.card:not(:first-child) .card-header,.card-group>.card:not(:first-child) .card-img-top{border-top-left-radius:0}.card-group>.card:not(:first-child) .card-footer,.card-group>.card:not(:first-child) .card-img-bottom{border-bottom-left-radius:0}}.card-columns .card{margin-bottom:.75rem}@media (min-width:576px){.card-columns{-webkit-column-count:3;-moz-column-count:3;column-count:3;-webkit-column-gap:1.25rem;-moz-column-gap:1.25rem;column-gap:1.25rem;orphans:1;widows:1}.card-columns .card{display:inline-block;width:100%}}.accordion>.card{overflow:hidden}.accordion>.card:not(:last-of-type){border-bottom:0;border-bottom-right-radius:0;border-bottom-left-radius:0}.accordion>.card:not(:first-of-type){border-top-left-radius:0;border-top-right-radius:0}.accordion>.card>.card-header{border-radius:0;margin-bottom:-1px}.breadcrumb{display:-ms-flexbox;display:flex;-ms-flex-wrap:wrap;flex-wrap:wrap;padding:.75rem 1rem;margin-bottom:1rem;list-style:none;background-color:#e9ecef;border-radius:.25rem}.breadcrumb-item{display:-ms-flexbox;display:flex}.breadcrumb-item+.breadcrumb-item{padding-left:.5rem}.breadcrumb-item+.breadcrumb-item::before{display:inline-block;padding-right:.5rem;color:#6c757d;content:"/"}.breadcrumb-item+.breadcrumb-item:hover::before{text-decoration:underline}.breadcrumb-item+.breadcrumb-item:hover::before{text-decoration:none}.breadcrumb-item.active{color:#6c757d}.pagination{display:-ms-flexbox;display:flex;padding-left:0;list-style:none;border-radius:.25rem}.page-link{position:relative;display:block;padding:.5rem .75rem;margin-left:-1px;line-height:1.25;color:#007bff;background-color:#fff;border:1px solid #dee2e6}.page-link:hover{z-index:2;color:#0056b3;text-decoration:none;background-color:#e9ecef;border-color:#dee2e6}.page-link:focus{z-index:3;outline:0;box-shadow:0 0 0 .2rem rgba(0,123,255,.25)}.page-item:first-child .page-link{margin-left:0;border-top-left-radius:.25rem;border-bottom-left-radius:.25rem}.page-item:last-child .page-link{border-top-right-radius:.25rem;border-bottom-right-radius:.25rem}.page-item.active .page-link{z-index:3;color:#fff;background-color:#007bff;border-color:#007bff}.page-item.disabled .page-link{color:#6c757d;pointer-events:none;cursor:auto;background-color:#fff;border-color:#dee2e6}.pagination-lg .page-link{padding:.75rem 1.5rem;font-size:1.25rem;line-height:1.5}.pagination-lg .page-item:first-child .page-link{border-top-left-radius:.3rem;border-bottom-left-radius:.3rem}.pagination-lg .page-item:last-child .page-link{border-top-right-radius:.3rem;border-bottom-right-radius:.3rem}.pagination-sm .page-link{padding:.25rem .5rem;font-size:.875rem;line-height:1.5}.pagination-sm .page-item:first-child .page-link{border-top-left-radius:.2rem;border-bottom-left-radius:.2rem}.pagination-sm .page-item:last-child .page-link{border-top-right-radius:.2rem;border-bottom-right-radius:.2rem}.badge{display:inline-block;padding:.25em .4em;font-size:75%;font-weight:700;line-height:1;text-align:center;white-space:nowrap;vertical-align:baseline;border-radius:.25rem;transition:color .15s ease-in-out,background-color .15s ease-in-out,border-color .15s ease-in-out,box-shadow .15s ease-in-out}@media (prefers-reduced-motion:reduce){.badge{transition:none}}a.badge:focus,a.badge:hover{text-decoration:none}.badge:empty{display:none}.btn .badge{position:relative;top:-1px}.badge-pill{padding-right:.6em;padding-left:.6em;border-radius:10rem}.badge-primary{color:#fff;background-color:#007bff}a.badge-primary:focus,a.badge-primary:hover{color:#fff;background-color:#0062cc}a.badge-primary.focus,a.badge-primary:focus{outline:0;box-shadow:0 0 0 .2rem rgba(0,123,255,.5)}.badge-secondary{color:#fff;background-color:#6c757d}a.badge-secondary:focus,a.badge-secondary:hover{color:#fff;background-color:#545b62}a.badge-secondary.focus,a.badge-secondary:focus{outline:0;box-shadow:0 0 0 .2rem rgba(108,117,125,.5)}.badge-success{color:#fff;background-color:#28a745}a.badge-success:focus,a.badge-success:hover{color:#fff;background-color:#1e7e34}a.badge-success.focus,a.badge-success:focus{outline:0;box-shadow:0 0 0 .2rem rgba(40,167,69,.5)}.badge-info{color:#fff;background-color:#17a2b8}a.badge-info:focus,a.badge-info:hover{color:#fff;background-color:#117a8b}a.badge-info.focus,a.badge-info:focus{outline:0;box-shadow:0 0 0 .2rem rgba(23,162,184,.5)}.badge-warning{color:#212529;background-color:#ffc107}a.badge-warning:focus,a.badge-warning:hover{color:#212529;background-color:#d39e00}a.badge-warning.focus,a.badge-warning:focus{outline:0;box-shadow:0 0 0 .2rem rgba(255,193,7,.5)}.badge-danger{color:#fff;background-color:#dc3545}a.badge-danger:focus,a.badge-danger:hover{color:#fff;background-color:#bd2130}a.badge-danger.focus,a.badge-danger:focus{outline:0;box-shadow:0 0 0 .2rem rgba(220,53,69,.5)}.badge-light{color:#212529;background-color:#f8f9fa}a.badge-light:focus,a.badge-light:hover{color:#212529;background-color:#dae0e5}a.badge-light.focus,a.badge-light:focus{outline:0;box-shadow:0 0 0 .2rem rgba(248,249,250,.5)}.badge-dark{color:#fff;background-color:#343a40}a.badge-dark:focus,a.badge-dark:hover{color:#fff;background-color:#1d2124}a.badge-dark.focus,a.badge-dark:focus{outline:0;box-shadow:0 0 0 .2rem rgba(52,58,64,.5)}.jumbotron{padding:2rem 1rem;margin-bottom:2rem;background-color:#e9ecef;border-radius:.3rem}@media (min-width:576px){.jumbotron{padding:4rem 2rem}}.jumbotron-fluid{padding-right:0;padding-left:0;border-radius:0}.alert{position:relative;padding:.75rem 1.25rem;margin-bottom:1rem;border:1px solid transparent;border-radius:.25rem}.alert-heading{color:inherit}.alert-link{font-weight:700}.alert-dismissible{padding-right:4rem}.alert-dismissible .close{position:absolute;top:0;right:0;padding:.75rem 1.25rem;color:inherit}.alert-primary{color:#004085;background-color:#cce5ff;border-color:#b8daff}.alert-primary hr{border-top-color:#9fcdff}.alert-primary .alert-link{color:#002752}.alert-secondary{color:#383d41;background-color:#e2e3e5;border-color:#d6d8db}.alert-secondary hr{border-top-color:#c8cbcf}.alert-secondary .alert-link{color:#202326}.alert-success{color:#155724;background-color:#d4edda;border-color:#c3e6cb}.alert-success hr{border-top-color:#b1dfbb}.alert-success .alert-link{color:#0b2e13}.alert-info{color:#0c5460;background-color:#d1ecf1;border-color:#bee5eb}.alert-info hr{border-top-color:#abdde5}.alert-info .alert-link{color:#062c33}.alert-warning{color:#856404;background-color:#fff3cd;border-color:#ffeeba}.alert-warning hr{border-top-color:#ffe8a1}.alert-warning .alert-link{color:#533f03}.alert-danger{color:#721c24;background-color:#f8d7da;border-color:#f5c6cb}.alert-danger hr{border-top-color:#f1b0b7}.alert-danger .alert-link{color:#491217}.alert-light{color:#818182;background-color:#fefefe;border-color:#fdfdfe}.alert-light hr{border-top-color:#ececf6}.alert-light .alert-link{color:#686868}.alert-dark{color:#1b1e21;background-color:#d6d8d9;border-color:#c6c8ca}.alert-dark hr{border-top-color:#b9bbbe}.alert-dark .alert-link{color:#040505}@-webkit-keyframes progress-bar-stripes{from{background-position:1rem 0}to{background-position:0 0}}@keyframes progress-bar-stripes{from{background-position:1rem 0}to{background-position:0 0}}.progress{display:-ms-flexbox;display:flex;height:1rem;overflow:hidden;line-height:0;font-size:.75rem;background-color:#e9ecef;border-radius:.25rem}.progress-bar{display:-ms-flexbox;display:flex;-ms-flex-direction:column;flex-direction:column;-ms-flex-pack:center;justify-content:center;overflow:hidden;color:#fff;text-align:center;white-space:nowrap;background-color:#007bff;transition:width .6s ease}@media (prefers-reduced-motion:reduce){.progress-bar{transition:none}}.progress-bar-striped{background-image:linear-gradient(45deg,rgba(255,255,255,.15) 25%,transparent 25%,transparent 50%,rgba(255,255,255,.15) 50%,rgba(255,255,255,.15) 75%,transparent 75%,transparent);background-size:1rem 1rem}.progress-bar-animated{-webkit-animation:progress-bar-stripes 1s linear infinite;animation:progress-bar-stripes 1s linear infinite}@media (prefers-reduced-motion:reduce){.progress-bar-animated{-webkit-animation:none;animation:none}}.media{display:-ms-flexbox;display:flex;-ms-flex-align:start;align-items:flex-start}.media-body{-ms-flex:1;flex:1}.list-group{display:-ms-flexbox;display:flex;-ms-flex-direction:column;flex-direction:column;padding-left:0;margin-bottom:0;border-radius:.25rem}.list-group-item-action{width:100%;color:#495057;text-align:inherit}.list-group-item-action:focus,.list-group-item-action:hover{z-index:1;color:#495057;text-decoration:none;background-color:#f8f9fa}.list-group-item-action:active{color:#212529;background-color:#e9ecef}.list-group-item{position:relative;display:block;padding:.75rem 1.25rem;background-color:#fff;border:1px solid rgba(0,0,0,.125)}.list-group-item:first-child{border-top-left-radius:inherit;border-top-right-radius:inherit}.list-group-item:last-child{border-bottom-right-radius:inherit;border-bottom-left-radius:inherit}.list-group-item.disabled,.list-group-item:disabled{color:#6c757d;pointer-events:none;background-color:#fff}.list-group-item.active{z-index:2;color:#fff;background-color:#007bff;border-color:#007bff}.list-group-item+.list-group-item{border-top-width:0}.list-group-item+.list-group-item.active{margin-top:-1px;border-top-width:1px}.list-group-horizontal{-ms-flex-direction:row;flex-direction:row}.list-group-horizontal>.list-group-item:first-child{border-bottom-left-radius:.25rem;border-top-right-radius:0}.list-group-horizontal>.list-group-item:last-child{border-top-right-radius:.25rem;border-bottom-left-radius:0}.list-group-horizontal>.list-group-item.active{margin-top:0}.list-group-horizontal>.list-group-item+.list-group-item{border-top-width:1px;border-left-width:0}.list-group-horizontal>.list-group-item+.list-group-item.active{margin-left:-1px;border-left-width:1px}@media (min-width:576px){.list-group-horizontal-sm{-ms-flex-direction:row;flex-direction:row}.list-group-horizontal-sm>.list-group-item:first-child{border-bottom-left-radius:.25rem;border-top-right-radius:0}.list-group-horizontal-sm>.list-group-item:last-child{border-top-right-radius:.25rem;border-bottom-left-radius:0}.list-group-horizontal-sm>.list-group-item.active{margin-top:0}.list-group-horizontal-sm>.list-group-item+.list-group-item{border-top-width:1px;border-left-width:0}.list-group-horizontal-sm>.list-group-item+.list-group-item.active{margin-left:-1px;border-left-width:1px}}@media (min-width:768px){.list-group-horizontal-md{-ms-flex-direction:row;flex-direction:row}.list-group-horizontal-md>.list-group-item:first-child{border-bottom-left-radius:.25rem;border-top-right-radius:0}.list-group-horizontal-md>.list-group-item:last-child{border-top-right-radius:.25rem;border-bottom-left-radius:0}.list-group-horizontal-md>.list-group-item.active{margin-top:0}.list-group-horizontal-md>.list-group-item+.list-group-item{border-top-width:1px;border-left-width:0}.list-group-horizontal-md>.list-group-item+.list-group-item.active{margin-left:-1px;border-left-width:1px}}@media (min-width:992px){.list-group-horizontal-lg{-ms-flex-direction:row;flex-direction:row}.list-group-horizontal-lg>.list-group-item:first-child{border-bottom-left-radius:.25rem;border-top-right-radius:0}.list-group-horizontal-lg>.list-group-item:last-child{border-top-right-radius:.25rem;border-bottom-left-radius:0}.list-group-horizontal-lg>.list-group-item.active{margin-top:0}.list-group-horizontal-lg>.list-group-item+.list-group-item{border-top-width:1px;border-left-width:0}.list-group-horizontal-lg>.list-group-item+.list-group-item.active{margin-left:-1px;border-left-width:1px}}@media (min-width:1200px){.list-group-horizontal-xl{-ms-flex-direction:row;flex-direction:row}.list-group-horizontal-xl>.list-group-item:first-child{border-bottom-left-radius:.25rem;border-top-right-radius:0}.list-group-horizontal-xl>.list-group-item:last-child{border-top-right-radius:.25rem;border-bottom-left-radius:0}.list-group-horizontal-xl>.list-group-item.active{margin-top:0}.list-group-horizontal-xl>.list-group-item+.list-group-item{border-top-width:1px;border-left-width:0}.list-group-horizontal-xl>.list-group-item+.list-group-item.active{margin-left:-1px;border-left-width:1px}}.list-group-flush{border-radius:0}.list-group-flush>.list-group-item{border-width:0 0 1px}.list-group-flush>.list-group-item:last-child{border-bottom-width:0}.list-group-item-primary{color:#004085;background-color:#b8daff}.list-group-item-primary.list-group-item-action:focus,.list-group-item-primary.list-group-item-action:hover{color:#004085;background-color:#9fcdff}.list-group-item-primary.list-group-item-action.active{color:#fff;background-color:#004085;border-color:#004085}.list-group-item-secondary{color:#383d41;background-color:#d6d8db}.list-group-item-secondary.list-group-item-action:focus,.list-group-item-secondary.list-group-item-action:hover{color:#383d41;background-color:#c8cbcf}.list-group-item-secondary.list-group-item-action.active{color:#fff;background-color:#383d41;border-color:#383d41}.list-group-item-success{color:#155724;background-color:#c3e6cb}.list-group-item-success.list-group-item-action:focus,.list-group-item-success.list-group-item-action:hover{color:#155724;background-color:#b1dfbb}.list-group-item-success.list-group-item-action.active{color:#fff;background-color:#155724;border-color:#155724}.list-group-item-info{color:#0c5460;background-color:#bee5eb}.list-group-item-info.list-group-item-action:focus,.list-group-item-info.list-group-item-action:hover{color:#0c5460;background-color:#abdde5}.list-group-item-info.list-group-item-action.active{color:#fff;background-color:#0c5460;border-color:#0c5460}.list-group-item-warning{color:#856404;background-color:#ffeeba}.list-group-item-warning.list-group-item-action:focus,.list-group-item-warning.list-group-item-action:hover{color:#856404;background-color:#ffe8a1}.list-group-item-warning.list-group-item-action.active{color:#fff;background-color:#856404;border-color:#856404}.list-group-item-danger{color:#721c24;background-color:#f5c6cb}.list-group-item-danger.list-group-item-action:focus,.list-group-item-danger.list-group-item-action:hover{color:#721c24;background-color:#f1b0b7}.list-group-item-danger.list-group-item-action.active{color:#fff;background-color:#721c24;border-color:#721c24}.list-group-item-light{color:#818182;background-color:#fdfdfe}.list-group-item-light.list-group-item-action:focus,.list-group-item-light.list-group-item-action:hover{color:#818182;background-color:#ececf6}.list-group-item-light.list-group-item-action.active{color:#fff;background-color:#818182;border-color:#818182}.list-group-item-dark{color:#1b1e21;background-color:#c6c8ca}.list-group-item-dark.list-group-item-action:focus,.list-group-item-dark.list-group-item-action:hover{color:#1b1e21;background-color:#b9bbbe}.list-group-item-dark.list-group-item-action.active{color:#fff;background-color:#1b1e21;border-color:#1b1e21}.close{float:right;font-size:1.5rem;font-weight:700;line-height:1;color:#000;text-shadow:0 1px 0 #fff;opacity:.5}.close:hover{color:#000;text-decoration:none}.close:not(:disabled):not(.disabled):focus,.close:not(:disabled):not(.disabled):hover{opacity:.75}button.close{padding:0;background-color:transparent;border:0}a.close.disabled{pointer-events:none}.toast{max-width:350px;overflow:hidden;font-size:.875rem;background-color:rgba(255,255,255,.85);background-clip:padding-box;border:1px solid rgba(0,0,0,.1);box-shadow:0 .25rem .75rem rgba(0,0,0,.1);-webkit-backdrop-filter:blur(10px);backdrop-filter:blur(10px);opacity:0;border-radius:.25rem}.toast:not(:last-child){margin-bottom:.75rem}.toast.showing{opacity:1}.toast.show{display:block;opacity:1}.toast.hide{display:none}.toast-header{display:-ms-flexbox;display:flex;-ms-flex-align:center;align-items:center;padding:.25rem .75rem;color:#6c757d;background-color:rgba(255,255,255,.85);background-clip:padding-box;border-bottom:1px solid rgba(0,0,0,.05)}.toast-body{padding:.75rem}.modal-open{overflow:hidden}.modal-open .modal{overflow-x:hidden;overflow-y:auto}.modal{position:fixed;top:0;left:0;z-index:1050;display:none;width:100%;height:100%;overflow:hidden;outline:0}.modal-dialog{position:relative;width:auto;margin:.5rem;pointer-events:none}.modal.fade .modal-dialog{transition:-webkit-transform .3s ease-out;transition:transform .3s ease-out;transition:transform .3s ease-out,-webkit-transform .3s ease-out;-webkit-transform:translate(0,-50px);transform:translate(0,-50px)}@media (prefers-reduced-motion:reduce){.modal.fade .modal-dialog{transition:none}}.modal.show .modal-dialog{-webkit-transform:none;transform:none}.modal.modal-static .modal-dialog{-webkit-transform:scale(1.02);transform:scale(1.02)}.modal-dialog-scrollable{display:-ms-flexbox;display:flex;max-height:calc(100% - 1rem)}.modal-dialog-scrollable .modal-content{max-height:calc(100vh - 1rem);overflow:hidden}.modal-dialog-scrollable .modal-footer,.modal-dialog-scrollable .modal-header{-ms-flex-negative:0;flex-shrink:0}.modal-dialog-scrollable .modal-body{overflow-y:auto}.modal-dialog-centered{display:-ms-flexbox;display:flex;-ms-flex-align:center;align-items:center;min-height:calc(100% - 1rem)}.modal-dialog-centered::before{display:block;height:calc(100vh - 1rem);height:-webkit-min-content;height:-moz-min-content;height:min-content;content:""}.modal-dialog-centered.modal-dialog-scrollable{-ms-flex-direction:column;flex-direction:column;-ms-flex-pack:center;justify-content:center;height:100%}.modal-dialog-centered.modal-dialog-scrollable .modal-content{max-height:none}.modal-dialog-centered.modal-dialog-scrollable::before{content:none}.modal-content{position:relative;display:-ms-flexbox;display:flex;-ms-flex-direction:column;flex-direction:column;width:100%;pointer-events:auto;background-color:#fff;background-clip:padding-box;border:1px solid rgba(0,0,0,.2);border-radius:.3rem;outline:0}.modal-backdrop{position:fixed;top:0;left:0;z-index:1040;width:100vw;height:100vh;background-color:#000}.modal-backdrop.fade{opacity:0}.modal-backdrop.show{opacity:.5}.modal-header{display:-ms-flexbox;display:flex;-ms-flex-align:start;align-items:flex-start;-ms-flex-pack:justify;justify-content:space-between;padding:1rem 1rem;border-bottom:1px solid #dee2e6;border-top-left-radius:calc(.3rem - 1px);border-top-right-radius:calc(.3rem - 1px)}.modal-header .close{padding:1rem 1rem;margin:-1rem -1rem -1rem auto}.modal-title{margin-bottom:0;line-height:1.5}.modal-body{position:relative;-ms-flex:1 1 auto;flex:1 1 auto;padding:1rem}.modal-footer{display:-ms-flexbox;display:flex;-ms-flex-wrap:wrap;flex-wrap:wrap;-ms-flex-align:center;align-items:center;-ms-flex-pack:end;justify-content:flex-end;padding:.75rem;border-top:1px solid #dee2e6;border-bottom-right-radius:calc(.3rem - 1px);border-bottom-left-radius:calc(.3rem - 1px)}.modal-footer>*{margin:.25rem}.modal-scrollbar-measure{position:absolute;top:-9999px;width:50px;height:50px;overflow:scroll}@media (min-width:576px){.modal-dialog{max-width:500px;margin:1.75rem auto}.modal-dialog-scrollable{max-height:calc(100% - 3.5rem)}.modal-dialog-scrollable .modal-content{max-height:calc(100vh - 3.5rem)}.modal-dialog-centered{min-height:calc(100% - 3.5rem)}.modal-dialog-centered::before{height:calc(100vh - 3.5rem);height:-webkit-min-content;height:-moz-min-content;height:min-content}.modal-sm{max-width:300px}}@media (min-width:992px){.modal-lg,.modal-xl{max-width:800px}}@media (min-width:1200px){.modal-xl{max-width:1140px}}.tooltip{position:absolute;z-index:1070;display:block;margin:0;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Helvetica Neue",Arial,"Noto Sans",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";font-style:normal;font-weight:400;line-height:1.5;text-align:left;text-align:start;text-decoration:none;text-shadow:none;text-transform:none;letter-spacing:normal;word-break:normal;word-spacing:normal;white-space:normal;line-break:auto;font-size:.875rem;word-wrap:break-word;opacity:0}.tooltip.show{opacity:.9}.tooltip .arrow{position:absolute;display:block;width:.8rem;height:.4rem}.tooltip .arrow::before{position:absolute;content:"";border-color:transparent;border-style:solid}.bs-tooltip-auto[x-placement^=top],.bs-tooltip-top{padding:.4rem 0}.bs-tooltip-auto[x-placement^=top] .arrow,.bs-tooltip-top .arrow{bottom:0}.bs-tooltip-auto[x-placement^=top] .arrow::before,.bs-tooltip-top .arrow::before{top:0;border-width:.4rem .4rem 0;border-top-color:#000}.bs-tooltip-auto[x-placement^=right],.bs-tooltip-right{padding:0 .4rem}.bs-tooltip-auto[x-placement^=right] .arrow,.bs-tooltip-right .arrow{left:0;width:.4rem;height:.8rem}.bs-tooltip-auto[x-placement^=right] .arrow::before,.bs-tooltip-right .arrow::before{right:0;border-width:.4rem .4rem .4rem 0;border-right-color:#000}.bs-tooltip-auto[x-placement^=bottom],.bs-tooltip-bottom{padding:.4rem 0}.bs-tooltip-auto[x-placement^=bottom] .arrow,.bs-tooltip-bottom .arrow{top:0}.bs-tooltip-auto[x-placement^=bottom] .arrow::before,.bs-tooltip-bottom .arrow::before{bottom:0;border-width:0 .4rem .4rem;border-bottom-color:#000}.bs-tooltip-auto[x-placement^=left],.bs-tooltip-left{padding:0 .4rem}.bs-tooltip-auto[x-placement^=left] .arrow,.bs-tooltip-left .arrow{right:0;width:.4rem;height:.8rem}.bs-tooltip-auto[x-placement^=left] .arrow::before,.bs-tooltip-left .arrow::before{left:0;border-width:.4rem 0 .4rem .4rem;border-left-color:#000}.tooltip-inner{max-width:200px;padding:.25rem .5rem;color:#fff;text-align:center;background-color:#000;border-radius:.25rem}.popover{position:absolute;top:0;left:0;z-index:1060;display:block;max-width:276px;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Helvetica Neue",Arial,"Noto Sans",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";font-style:normal;font-weight:400;line-height:1.5;text-align:left;text-align:start;text-decoration:none;text-shadow:none;text-transform:none;letter-spacing:normal;word-break:normal;word-spacing:normal;white-space:normal;line-break:auto;font-size:.875rem;word-wrap:break-word;background-color:#fff;background-clip:padding-box;border:1px solid rgba(0,0,0,.2);border-radius:.3rem}.popover .arrow{position:absolute;display:block;width:1rem;height:.5rem;margin:0 .3rem}.popover .arrow::after,.popover .arrow::before{position:absolute;display:block;content:"";border-color:transparent;border-style:solid}.bs-popover-auto[x-placement^=top],.bs-popover-top{margin-bottom:.5rem}.bs-popover-auto[x-placement^=top]>.arrow,.bs-popover-top>.arrow{bottom:calc(-.5rem - 1px)}.bs-popover-auto[x-placement^=top]>.arrow::before,.bs-popover-top>.arrow::before{bottom:0;border-width:.5rem .5rem 0;border-top-color:rgba(0,0,0,.25)}.bs-popover-auto[x-placement^=top]>.arrow::after,.bs-popover-top>.arrow::after{bottom:1px;border-width:.5rem .5rem 0;border-top-color:#fff}.bs-popover-auto[x-placement^=right],.bs-popover-right{margin-left:.5rem}.bs-popover-auto[x-placement^=right]>.arrow,.bs-popover-right>.arrow{left:calc(-.5rem - 1px);width:.5rem;height:1rem;margin:.3rem 0}.bs-popover-auto[x-placement^=right]>.arrow::before,.bs-popover-right>.arrow::before{left:0;border-width:.5rem .5rem .5rem 0;border-right-color:rgba(0,0,0,.25)}.bs-popover-auto[x-placement^=right]>.arrow::after,.bs-popover-right>.arrow::after{left:1px;border-width:.5rem .5rem .5rem 0;border-right-color:#fff}.bs-popover-auto[x-placement^=bottom],.bs-popover-bottom{margin-top:.5rem}.bs-popover-auto[x-placement^=bottom]>.arrow,.bs-popover-bottom>.arrow{top:calc(-.5rem - 1px)}.bs-popover-auto[x-placement^=bottom]>.arrow::before,.bs-popover-bottom>.arrow::before{top:0;border-width:0 .5rem .5rem .5rem;border-bottom-color:rgba(0,0,0,.25)}.bs-popover-auto[x-placement^=bottom]>.arrow::after,.bs-popover-bottom>.arrow::after{top:1px;border-width:0 .5rem .5rem .5rem;border-bottom-color:#fff}.bs-popover-auto[x-placement^=bottom] .popover-header::before,.bs-popover-bottom .popover-header::before{position:absolute;top:0;left:50%;display:block;width:1rem;margin-left:-.5rem;content:"";border-bottom:1px solid #f7f7f7}.bs-popover-auto[x-placement^=left],.bs-popover-left{margin-right:.5rem}.bs-popover-auto[x-placement^=left]>.arrow,.bs-popover-left>.arrow{right:calc(-.5rem - 1px);width:.5rem;height:1rem;margin:.3rem 0}.bs-popover-auto[x-placement^=left]>.arrow::before,.bs-popover-left>.arrow::before{right:0;border-width:.5rem 0 .5rem .5rem;border-left-color:rgba(0,0,0,.25)}.bs-popover-auto[x-placement^=left]>.arrow::after,.bs-popover-left>.arrow::after{right:1px;border-width:.5rem 0 .5rem .5rem;border-left-color:#fff}.popover-header{padding:.5rem .75rem;margin-bottom:0;font-size:1rem;background-color:#f7f7f7;border-bottom:1px solid #ebebeb;border-top-left-radius:calc(.3rem - 1px);border-top-right-radius:calc(.3rem - 1px)}.popover-header:empty{display:none}.popover-body{padding:.5rem .75rem;color:#212529}.carousel{position:relative}.carousel.pointer-event{-ms-touch-action:pan-y;touch-action:pan-y}.carousel-inner{position:relative;width:100%;overflow:hidden}.carousel-inner::after{display:block;clear:both;content:""}.carousel-item{position:relative;display:none;float:left;width:100%;margin-right:-100%;-webkit-backface-visibility:hidden;backface-visibility:hidden;transition:-webkit-transform .6s ease-in-out;transition:transform .6s ease-in-out;transition:transform .6s ease-in-out,-webkit-transform .6s ease-in-out}@media (prefers-reduced-motion:reduce){.carousel-item{transition:none}}.carousel-item-next,.carousel-item-prev,.carousel-item.active{display:block}.active.carousel-item-right,.carousel-item-next:not(.carousel-item-left){-webkit-transform:translateX(100%);transform:translateX(100%)}.active.carousel-item-left,.carousel-item-prev:not(.carousel-item-right){-webkit-transform:translateX(-100%);transform:translateX(-100%)}.carousel-fade .carousel-item{opacity:0;transition-property:opacity;-webkit-transform:none;transform:none}.carousel-fade .carousel-item-next.carousel-item-left,.carousel-fade .carousel-item-prev.carousel-item-right,.carousel-fade .carousel-item.active{z-index:1;opacity:1}.carousel-fade .active.carousel-item-left,.carousel-fade .active.carousel-item-right{z-index:0;opacity:0;transition:opacity 0s .6s}@media (prefers-reduced-motion:reduce){.carousel-fade .active.carousel-item-left,.carousel-fade .active.carousel-item-right{transition:none}}.carousel-control-next,.carousel-control-prev{position:absolute;top:0;bottom:0;z-index:1;display:-ms-flexbox;display:flex;-ms-flex-align:center;align-items:center;-ms-flex-pack:center;justify-content:center;width:15%;color:#fff;text-align:center;opacity:.5;transition:opacity .15s ease}@media (prefers-reduced-motion:reduce){.carousel-control-next,.carousel-control-prev{transition:none}}.carousel-control-next:focus,.carousel-control-next:hover,.carousel-control-prev:focus,.carousel-control-prev:hover{color:#fff;text-decoration:none;outline:0;opacity:.9}.carousel-control-prev{left:0}.carousel-control-next{right:0}.carousel-control-next-icon,.carousel-control-prev-icon{display:inline-block;width:20px;height:20px;background:no-repeat 50%/100% 100%}.carousel-control-prev-icon{background-image:url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' fill='%23fff' width='8' height='8' viewBox='0 0 8 8'%3e%3cpath d='M5.25 0l-4 4 4 4 1.5-1.5L4.25 4l2.5-2.5L5.25 0z'/%3e%3c/svg%3e")}.carousel-control-next-icon{background-image:url("data:image/svg+xml,%3csvg xmlns='http://www.w3.org/2000/svg' fill='%23fff' width='8' height='8' viewBox='0 0 8 8'%3e%3cpath d='M2.75 0l-1.5 1.5L3.75 4l-2.5 2.5L2.75 8l4-4-4-4z'/%3e%3c/svg%3e")}.carousel-indicators{position:absolute;right:0;bottom:0;left:0;z-index:15;display:-ms-flexbox;display:flex;-ms-flex-pack:center;justify-content:center;padding-left:0;margin-right:15%;margin-left:15%;list-style:none}.carousel-indicators li{box-sizing:content-box;-ms-flex:0 1 auto;flex:0 1 auto;width:30px;height:3px;margin-right:3px;margin-left:3px;text-indent:-999px;cursor:pointer;background-color:#fff;background-clip:padding-box;border-top:10px solid transparent;border-bottom:10px solid transparent;opacity:.5;transition:opacity .6s ease}@media (prefers-reduced-motion:reduce){.carousel-indicators li{transition:none}}.carousel-indicators .active{opacity:1}.carousel-caption{position:absolute;right:15%;bottom:20px;left:15%;z-index:10;padding-top:20px;padding-bottom:20px;color:#fff;text-align:center}@-webkit-keyframes spinner-border{to{-webkit-transform:rotate(360deg);transform:rotate(360deg)}}@keyframes spinner-border{to{-webkit-transform:rotate(360deg);transform:rotate(360deg)}}.spinner-border{display:inline-block;width:2rem;height:2rem;vertical-align:text-bottom;border:.25em solid currentColor;border-right-color:transparent;border-radius:50%;-webkit-animation:spinner-border .75s linear infinite;animation:spinner-border .75s linear infinite}.spinner-border-sm{width:1rem;height:1rem;border-width:.2em}@-webkit-keyframes spinner-grow{0%{-webkit-transform:scale(0);transform:scale(0)}50%{opacity:1;-webkit-transform:none;transform:none}}@keyframes spinner-grow{0%{-webkit-transform:scale(0);transform:scale(0)}50%{opacity:1;-webkit-transform:none;transform:none}}.spinner-grow{display:inline-block;width:2rem;height:2rem;vertical-align:text-bottom;background-color:currentColor;border-radius:50%;opacity:0;-webkit-animation:spinner-grow .75s linear infinite;animation:spinner-grow .75s linear infinite}.spinner-grow-sm{width:1rem;height:1rem}.align-baseline{vertical-align:baseline!important}.align-top{vertical-align:top!important}.align-middle{vertical-align:middle!important}.align-bottom{vertical-align:bottom!important}.align-text-bottom{vertical-align:text-bottom!important}.align-text-top{vertical-align:text-top!important}.bg-primary{background-color:#007bff!important}a.bg-primary:focus,a.bg-primary:hover,button.bg-primary:focus,button.bg-primary:hover{background-color:#0062cc!important}.bg-secondary{background-color:#6c757d!important}a.bg-secondary:focus,a.bg-secondary:hover,button.bg-secondary:focus,button.bg-secondary:hover{background-color:#545b62!important}.bg-success{background-color:#28a745!important}a.bg-success:focus,a.bg-success:hover,button.bg-success:focus,button.bg-success:hover{background-color:#1e7e34!important}.bg-info{background-color:#17a2b8!important}a.bg-info:focus,a.bg-info:hover,button.bg-info:focus,button.bg-info:hover{background-color:#117a8b!important}.bg-warning{background-color:#ffc107!important}a.bg-warning:focus,a.bg-warning:hover,button.bg-warning:focus,button.bg-warning:hover{background-color:#d39e00!important}.bg-danger{background-color:#dc3545!important}a.bg-danger:focus,a.bg-danger:hover,button.bg-danger:focus,button.bg-danger:hover{background-color:#bd2130!important}.bg-light{background-color:#f8f9fa!important}a.bg-light:focus,a.bg-light:hover,button.bg-light:focus,button.bg-light:hover{background-color:#dae0e5!important}.bg-dark{background-color:#343a40!important}a.bg-dark:focus,a.bg-dark:hover,button.bg-dark:focus,button.bg-dark:hover{background-color:#1d2124!important}.bg-white{background-color:#fff!important}.bg-transparent{background-color:transparent!important}.border{border:1px solid #dee2e6!important}.border-top{border-top:1px solid #dee2e6!important}.border-right{border-right:1px solid #dee2e6!important}.border-bottom{border-bottom:1px solid #dee2e6!important}.border-left{border-left:1px solid #dee2e6!important}.border-0{border:0!important}.border-top-0{border-top:0!important}.border-right-0{border-right:0!important}.border-bottom-0{border-bottom:0!important}.border-left-0{border-left:0!important}.border-primary{border-color:#007bff!important}.border-secondary{border-color:#6c757d!important}.border-success{border-color:#28a745!important}.border-info{border-color:#17a2b8!important}.border-warning{border-color:#ffc107!important}.border-danger{border-color:#dc3545!important}.border-light{border-color:#f8f9fa!important}.border-dark{border-color:#343a40!important}.border-white{border-color:#fff!important}.rounded-sm{border-radius:.2rem!important}.rounded{border-radius:.25rem!important}.rounded-top{border-top-left-radius:.25rem!important;border-top-right-radius:.25rem!important}.rounded-right{border-top-right-radius:.25rem!important;border-bottom-right-radius:.25rem!important}.rounded-bottom{border-bottom-right-radius:.25rem!important;border-bottom-left-radius:.25rem!important}.rounded-left{border-top-left-radius:.25rem!important;border-bottom-left-radius:.25rem!important}.rounded-lg{border-radius:.3rem!important}.rounded-circle{border-radius:50%!important}.rounded-pill{border-radius:50rem!important}.rounded-0{border-radius:0!important}.clearfix::after{display:block;clear:both;content:""}.d-none{display:none!important}.d-inline{display:inline!important}.d-inline-block{display:inline-block!important}.d-block{display:block!important}.d-table{display:table!important}.d-table-row{display:table-row!important}.d-table-cell{display:table-cell!important}.d-flex{display:-ms-flexbox!important;display:flex!important}.d-inline-flex{display:-ms-inline-flexbox!important;display:inline-flex!important}@media (min-width:576px){.d-sm-none{display:none!important}.d-sm-inline{display:inline!important}.d-sm-inline-block{display:inline-block!important}.d-sm-block{display:block!important}.d-sm-table{display:table!important}.d-sm-table-row{display:table-row!important}.d-sm-table-cell{display:table-cell!important}.d-sm-flex{display:-ms-flexbox!important;display:flex!important}.d-sm-inline-flex{display:-ms-inline-flexbox!important;display:inline-flex!important}}@media (min-width:768px){.d-md-none{display:none!important}.d-md-inline{display:inline!important}.d-md-inline-block{display:inline-block!important}.d-md-block{display:block!important}.d-md-table{display:table!important}.d-md-table-row{display:table-row!important}.d-md-table-cell{display:table-cell!important}.d-md-flex{display:-ms-flexbox!important;display:flex!important}.d-md-inline-flex{display:-ms-inline-flexbox!important;display:inline-flex!important}}@media (min-width:992px){.d-lg-none{display:none!important}.d-lg-inline{display:inline!important}.d-lg-inline-block{display:inline-block!important}.d-lg-block{display:block!important}.d-lg-table{display:table!important}.d-lg-table-row{display:table-row!important}.d-lg-table-cell{display:table-cell!important}.d-lg-flex{display:-ms-flexbox!important;display:flex!important}.d-lg-inline-flex{display:-ms-inline-flexbox!important;display:inline-flex!important}}@media (min-width:1200px){.d-xl-none{display:none!important}.d-xl-inline{display:inline!important}.d-xl-inline-block{display:inline-block!important}.d-xl-block{display:block!important}.d-xl-table{display:table!important}.d-xl-table-row{display:table-row!important}.d-xl-table-cell{display:table-cell!important}.d-xl-flex{display:-ms-flexbox!important;display:flex!important}.d-xl-inline-flex{display:-ms-inline-flexbox!important;display:inline-flex!important}}@media print{.d-print-none{display:none!important}.d-print-inline{display:inline!important}.d-print-inline-block{display:inline-block!important}.d-print-block{display:block!important}.d-print-table{display:table!important}.d-print-table-row{display:table-row!important}.d-print-table-cell{display:table-cell!important}.d-print-flex{display:-ms-flexbox!important;display:flex!important}.d-print-inline-flex{display:-ms-inline-flexbox!important;display:inline-flex!important}}.embed-responsive{position:relative;display:block;width:100%;padding:0;overflow:hidden}.embed-responsive::before{display:block;content:""}.embed-responsive .embed-responsive-item,.embed-responsive embed,.embed-responsive iframe,.embed-responsive object,.embed-responsive video{position:absolute;top:0;bottom:0;left:0;width:100%;height:100%;border:0}.embed-responsive-21by9::before{padding-top:42.857143%}.embed-responsive-16by9::before{padding-top:56.25%}.embed-responsive-4by3::before{padding-top:75%}.embed-responsive-1by1::before{padding-top:100%}.flex-row{-ms-flex-direction:row!important;flex-direction:row!important}.flex-column{-ms-flex-direction:column!important;flex-direction:column!important}.flex-row-reverse{-ms-flex-direction:row-reverse!important;flex-direction:row-reverse!important}.flex-column-reverse{-ms-flex-direction:column-reverse!important;flex-direction:column-reverse!important}.flex-wrap{-ms-flex-wrap:wrap!important;flex-wrap:wrap!important}.flex-nowrap{-ms-flex-wrap:nowrap!important;flex-wrap:nowrap!important}.flex-wrap-reverse{-ms-flex-wrap:wrap-reverse!important;flex-wrap:wrap-reverse!important}.flex-fill{-ms-flex:1 1 auto!important;flex:1 1 auto!important}.flex-grow-0{-ms-flex-positive:0!important;flex-grow:0!important}.flex-grow-1{-ms-flex-positive:1!important;flex-grow:1!important}.flex-shrink-0{-ms-flex-negative:0!important;flex-shrink:0!important}.flex-shrink-1{-ms-flex-negative:1!important;flex-shrink:1!important}.justify-content-start{-ms-flex-pack:start!important;justify-content:flex-start!important}.justify-content-end{-ms-flex-pack:end!important;justify-content:flex-end!important}.justify-content-center{-ms-flex-pack:center!important;justify-content:center!important}.justify-content-between{-ms-flex-pack:justify!important;justify-content:space-between!important}.justify-content-around{-ms-flex-pack:distribute!important;justify-content:space-around!important}.align-items-start{-ms-flex-align:start!important;align-items:flex-start!important}.align-items-end{-ms-flex-align:end!important;align-items:flex-end!important}.align-items-center{-ms-flex-align:center!important;align-items:center!important}.align-items-baseline{-ms-flex-align:baseline!important;align-items:baseline!important}.align-items-stretch{-ms-flex-align:stretch!important;align-items:stretch!important}.align-content-start{-ms-flex-line-pack:start!important;align-content:flex-start!important}.align-content-end{-ms-flex-line-pack:end!important;align-content:flex-end!important}.align-content-center{-ms-flex-line-pack:center!important;align-content:center!important}.align-content-between{-ms-flex-line-pack:justify!important;align-content:space-between!important}.align-content-around{-ms-flex-line-pack:distribute!important;align-content:space-around!important}.align-content-stretch{-ms-flex-line-pack:stretch!important;align-content:stretch!important}.align-self-auto{-ms-flex-item-align:auto!important;align-self:auto!important}.align-self-start{-ms-flex-item-align:start!important;align-self:flex-start!important}.align-self-end{-ms-flex-item-align:end!important;align-self:flex-end!important}.align-self-center{-ms-flex-item-align:center!important;align-self:center!important}.align-self-baseline{-ms-flex-item-align:baseline!important;align-self:baseline!important}.align-self-stretch{-ms-flex-item-align:stretch!important;align-self:stretch!important}@media (min-width:576px){.flex-sm-row{-ms-flex-direction:row!important;flex-direction:row!important}.flex-sm-column{-ms-flex-direction:column!important;flex-direction:column!important}.flex-sm-row-reverse{-ms-flex-direction:row-reverse!important;flex-direction:row-reverse!important}.flex-sm-column-reverse{-ms-flex-direction:column-reverse!important;flex-direction:column-reverse!important}.flex-sm-wrap{-ms-flex-wrap:wrap!important;flex-wrap:wrap!important}.flex-sm-nowrap{-ms-flex-wrap:nowrap!important;flex-wrap:nowrap!important}.flex-sm-wrap-reverse{-ms-flex-wrap:wrap-reverse!important;flex-wrap:wrap-reverse!important}.flex-sm-fill{-ms-flex:1 1 auto!important;flex:1 1 auto!important}.flex-sm-grow-0{-ms-flex-positive:0!important;flex-grow:0!important}.flex-sm-grow-1{-ms-flex-positive:1!important;flex-grow:1!important}.flex-sm-shrink-0{-ms-flex-negative:0!important;flex-shrink:0!important}.flex-sm-shrink-1{-ms-flex-negative:1!important;flex-shrink:1!important}.justify-content-sm-start{-ms-flex-pack:start!important;justify-content:flex-start!important}.justify-content-sm-end{-ms-flex-pack:end!important;justify-content:flex-end!important}.justify-content-sm-center{-ms-flex-pack:center!important;justify-content:center!important}.justify-content-sm-between{-ms-flex-pack:justify!important;justify-content:space-between!important}.justify-content-sm-around{-ms-flex-pack:distribute!important;justify-content:space-around!important}.align-items-sm-start{-ms-flex-align:start!important;align-items:flex-start!important}.align-items-sm-end{-ms-flex-align:end!important;align-items:flex-end!important}.align-items-sm-center{-ms-flex-align:center!important;align-items:center!important}.align-items-sm-baseline{-ms-flex-align:baseline!important;align-items:baseline!important}.align-items-sm-stretch{-ms-flex-align:stretch!important;align-items:stretch!important}.align-content-sm-start{-ms-flex-line-pack:start!important;align-content:flex-start!important}.align-content-sm-end{-ms-flex-line-pack:end!important;align-content:flex-end!important}.align-content-sm-center{-ms-flex-line-pack:center!important;align-content:center!important}.align-content-sm-between{-ms-flex-line-pack:justify!important;align-content:space-between!important}.align-content-sm-around{-ms-flex-line-pack:distribute!important;align-content:space-around!important}.align-content-sm-stretch{-ms-flex-line-pack:stretch!important;align-content:stretch!important}.align-self-sm-auto{-ms-flex-item-align:auto!important;align-self:auto!important}.align-self-sm-start{-ms-flex-item-align:start!important;align-self:flex-start!important}.align-self-sm-end{-ms-flex-item-align:end!important;align-self:flex-end!important}.align-self-sm-center{-ms-flex-item-align:center!important;align-self:center!important}.align-self-sm-baseline{-ms-flex-item-align:baseline!important;align-self:baseline!important}.align-self-sm-stretch{-ms-flex-item-align:stretch!important;align-self:stretch!important}}@media (min-width:768px){.flex-md-row{-ms-flex-direction:row!important;flex-direction:row!important}.flex-md-column{-ms-flex-direction:column!important;flex-direction:column!important}.flex-md-row-reverse{-ms-flex-direction:row-reverse!important;flex-direction:row-reverse!important}.flex-md-column-reverse{-ms-flex-direction:column-reverse!important;flex-direction:column-reverse!important}.flex-md-wrap{-ms-flex-wrap:wrap!important;flex-wrap:wrap!important}.flex-md-nowrap{-ms-flex-wrap:nowrap!important;flex-wrap:nowrap!important}.flex-md-wrap-reverse{-ms-flex-wrap:wrap-reverse!important;flex-wrap:wrap-reverse!important}.flex-md-fill{-ms-flex:1 1 auto!important;flex:1 1 auto!important}.flex-md-grow-0{-ms-flex-positive:0!important;flex-grow:0!important}.flex-md-grow-1{-ms-flex-positive:1!important;flex-grow:1!important}.flex-md-shrink-0{-ms-flex-negative:0!important;flex-shrink:0!important}.flex-md-shrink-1{-ms-flex-negative:1!important;flex-shrink:1!important}.justify-content-md-start{-ms-flex-pack:start!important;justify-content:flex-start!important}.justify-content-md-end{-ms-flex-pack:end!important;justify-content:flex-end!important}.justify-content-md-center{-ms-flex-pack:center!important;justify-content:center!important}.justify-content-md-between{-ms-flex-pack:justify!important;justify-content:space-between!important}.justify-content-md-around{-ms-flex-pack:distribute!important;justify-content:space-around!important}.align-items-md-start{-ms-flex-align:start!important;align-items:flex-start!important}.align-items-md-end{-ms-flex-align:end!important;align-items:flex-end!important}.align-items-md-center{-ms-flex-align:center!important;align-items:center!important}.align-items-md-baseline{-ms-flex-align:baseline!important;align-items:baseline!important}.align-items-md-stretch{-ms-flex-align:stretch!important;align-items:stretch!important}.align-content-md-start{-ms-flex-line-pack:start!important;align-content:flex-start!important}.align-content-md-end{-ms-flex-line-pack:end!important;align-content:flex-end!important}.align-content-md-center{-ms-flex-line-pack:center!important;align-content:center!important}.align-content-md-between{-ms-flex-line-pack:justify!important;align-content:space-between!important}.align-content-md-around{-ms-flex-line-pack:distribute!important;align-content:space-around!important}.align-content-md-stretch{-ms-flex-line-pack:stretch!important;align-content:stretch!important}.align-self-md-auto{-ms-flex-item-align:auto!important;align-self:auto!important}.align-self-md-start{-ms-flex-item-align:start!important;align-self:flex-start!important}.align-self-md-end{-ms-flex-item-align:end!important;align-self:flex-end!important}.align-self-md-center{-ms-flex-item-align:center!important;align-self:center!important}.align-self-md-baseline{-ms-flex-item-align:baseline!important;align-self:baseline!important}.align-self-md-stretch{-ms-flex-item-align:stretch!important;align-self:stretch!important}}@media (min-width:992px){.flex-lg-row{-ms-flex-direction:row!important;flex-direction:row!important}.flex-lg-column{-ms-flex-direction:column!important;flex-direction:column!important}.flex-lg-row-reverse{-ms-flex-direction:row-reverse!important;flex-direction:row-reverse!important}.flex-lg-column-reverse{-ms-flex-direction:column-reverse!important;flex-direction:column-reverse!important}.flex-lg-wrap{-ms-flex-wrap:wrap!important;flex-wrap:wrap!important}.flex-lg-nowrap{-ms-flex-wrap:nowrap!important;flex-wrap:nowrap!important}.flex-lg-wrap-reverse{-ms-flex-wrap:wrap-reverse!important;flex-wrap:wrap-reverse!important}.flex-lg-fill{-ms-flex:1 1 auto!important;flex:1 1 auto!important}.flex-lg-grow-0{-ms-flex-positive:0!important;flex-grow:0!important}.flex-lg-grow-1{-ms-flex-positive:1!important;flex-grow:1!important}.flex-lg-shrink-0{-ms-flex-negative:0!important;flex-shrink:0!important}.flex-lg-shrink-1{-ms-flex-negative:1!important;flex-shrink:1!important}.justify-content-lg-start{-ms-flex-pack:start!important;justify-content:flex-start!important}.justify-content-lg-end{-ms-flex-pack:end!important;justify-content:flex-end!important}.justify-content-lg-center{-ms-flex-pack:center!important;justify-content:center!important}.justify-content-lg-between{-ms-flex-pack:justify!important;justify-content:space-between!important}.justify-content-lg-around{-ms-flex-pack:distribute!important;justify-content:space-around!important}.align-items-lg-start{-ms-flex-align:start!important;align-items:flex-start!important}.align-items-lg-end{-ms-flex-align:end!important;align-items:flex-end!important}.align-items-lg-center{-ms-flex-align:center!important;align-items:center!important}.align-items-lg-baseline{-ms-flex-align:baseline!important;align-items:baseline!important}.align-items-lg-stretch{-ms-flex-align:stretch!important;align-items:stretch!important}.align-content-lg-start{-ms-flex-line-pack:start!important;align-content:flex-start!important}.align-content-lg-end{-ms-flex-line-pack:end!important;align-content:flex-end!important}.align-content-lg-center{-ms-flex-line-pack:center!important;align-content:center!important}.align-content-lg-between{-ms-flex-line-pack:justify!important;align-content:space-between!important}.align-content-lg-around{-ms-flex-line-pack:distribute!important;align-content:space-around!important}.align-content-lg-stretch{-ms-flex-line-pack:stretch!important;align-content:stretch!important}.align-self-lg-auto{-ms-flex-item-align:auto!important;align-self:auto!important}.align-self-lg-start{-ms-flex-item-align:start!important;align-self:flex-start!important}.align-self-lg-end{-ms-flex-item-align:end!important;align-self:flex-end!important}.align-self-lg-center{-ms-flex-item-align:center!important;align-self:center!important}.align-self-lg-baseline{-ms-flex-item-align:baseline!important;align-self:baseline!important}.align-self-lg-stretch{-ms-flex-item-align:stretch!important;align-self:stretch!important}}@media (min-width:1200px){.flex-xl-row{-ms-flex-direction:row!important;flex-direction:row!important}.flex-xl-column{-ms-flex-direction:column!important;flex-direction:column!important}.flex-xl-row-reverse{-ms-flex-direction:row-reverse!important;flex-direction:row-reverse!important}.flex-xl-column-reverse{-ms-flex-direction:column-reverse!important;flex-direction:column-reverse!important}.flex-xl-wrap{-ms-flex-wrap:wrap!important;flex-wrap:wrap!important}.flex-xl-nowrap{-ms-flex-wrap:nowrap!important;flex-wrap:nowrap!important}.flex-xl-wrap-reverse{-ms-flex-wrap:wrap-reverse!important;flex-wrap:wrap-reverse!important}.flex-xl-fill{-ms-flex:1 1 auto!important;flex:1 1 auto!important}.flex-xl-grow-0{-ms-flex-positive:0!important;flex-grow:0!important}.flex-xl-grow-1{-ms-flex-positive:1!important;flex-grow:1!important}.flex-xl-shrink-0{-ms-flex-negative:0!important;flex-shrink:0!important}.flex-xl-shrink-1{-ms-flex-negative:1!important;flex-shrink:1!important}.justify-content-xl-start{-ms-flex-pack:start!important;justify-content:flex-start!important}.justify-content-xl-end{-ms-flex-pack:end!important;justify-content:flex-end!important}.justify-content-xl-center{-ms-flex-pack:center!important;justify-content:center!important}.justify-content-xl-between{-ms-flex-pack:justify!important;justify-content:space-between!important}.justify-content-xl-around{-ms-flex-pack:distribute!important;justify-content:space-around!important}.align-items-xl-start{-ms-flex-align:start!important;align-items:flex-start!important}.align-items-xl-end{-ms-flex-align:end!important;align-items:flex-end!important}.align-items-xl-center{-ms-flex-align:center!important;align-items:center!important}.align-items-xl-baseline{-ms-flex-align:baseline!important;align-items:baseline!important}.align-items-xl-stretch{-ms-flex-align:stretch!important;align-items:stretch!important}.align-content-xl-start{-ms-flex-line-pack:start!important;align-content:flex-start!important}.align-content-xl-end{-ms-flex-line-pack:end!important;align-content:flex-end!important}.align-content-xl-center{-ms-flex-line-pack:center!important;align-content:center!important}.align-content-xl-between{-ms-flex-line-pack:justify!important;align-content:space-between!important}.align-content-xl-around{-ms-flex-line-pack:distribute!important;align-content:space-around!important}.align-content-xl-stretch{-ms-flex-line-pack:stretch!important;align-content:stretch!important}.align-self-xl-auto{-ms-flex-item-align:auto!important;align-self:auto!important}.align-self-xl-start{-ms-flex-item-align:start!important;align-self:flex-start!important}.align-self-xl-end{-ms-flex-item-align:end!important;align-self:flex-end!important}.align-self-xl-center{-ms-flex-item-align:center!important;align-self:center!important}.align-self-xl-baseline{-ms-flex-item-align:baseline!important;align-self:baseline!important}.align-self-xl-stretch{-ms-flex-item-align:stretch!important;align-self:stretch!important}}.float-left{float:left!important}.float-right{float:right!important}.float-none{float:none!important}@media (min-width:576px){.float-sm-left{float:left!important}.float-sm-right{float:right!important}.float-sm-none{float:none!important}}@media (min-width:768px){.float-md-left{float:left!important}.float-md-right{float:right!important}.float-md-none{float:none!important}}@media (min-width:992px){.float-lg-left{float:left!important}.float-lg-right{float:right!important}.float-lg-none{float:none!important}}@media (min-width:1200px){.float-xl-left{float:left!important}.float-xl-right{float:right!important}.float-xl-none{float:none!important}}.user-select-all{-webkit-user-select:all!important;-moz-user-select:all!important;-ms-user-select:all!important;user-select:all!important}.user-select-auto{-webkit-user-select:auto!important;-moz-user-select:auto!important;-ms-user-select:auto!important;user-select:auto!important}.user-select-none{-webkit-user-select:none!important;-moz-user-select:none!important;-ms-user-select:none!important;user-select:none!important}.overflow-auto{overflow:auto!important}.overflow-hidden{overflow:hidden!important}.position-static{position:static!important}.position-relative{position:relative!important}.position-absolute{position:absolute!important}.position-fixed{position:fixed!important}.position-sticky{position:-webkit-sticky!important;position:sticky!important}.fixed-top{position:fixed;top:0;right:0;left:0;z-index:1030}.fixed-bottom{position:fixed;right:0;bottom:0;left:0;z-index:1030}@supports ((position:-webkit-sticky) or (position:sticky)){.sticky-top{position:-webkit-sticky;position:sticky;top:0;z-index:1020}}.sr-only{position:absolute;width:1px;height:1px;padding:0;margin:-1px;overflow:hidden;clip:rect(0,0,0,0);white-space:nowrap;border:0}.sr-only-focusable:active,.sr-only-focusable:focus{position:static;width:auto;height:auto;overflow:visible;clip:auto;white-space:normal}.shadow-sm{box-shadow:0 .125rem .25rem rgba(0,0,0,.075)!important}.shadow{box-shadow:0 .5rem 1rem rgba(0,0,0,.15)!important}.shadow-lg{box-shadow:0 1rem 3rem rgba(0,0,0,.175)!important}.shadow-none{box-shadow:none!important}.w-25{width:25%!important}.w-50{width:50%!important}.w-75{width:75%!important}.w-100{width:100%!important}.w-auto{width:auto!important}.h-25{height:25%!important}.h-50{height:50%!important}.h-75{height:75%!important}.h-100{height:100%!important}.h-auto{height:auto!important}.mw-100{max-width:100%!important}.mh-100{max-height:100%!important}.min-vw-100{min-width:100vw!important}.min-vh-100{min-height:100vh!important}.vw-100{width:100vw!important}.vh-100{height:100vh!important}.m-0{margin:0!important}.mt-0,.my-0{margin-top:0!important}.mr-0,.mx-0{margin-right:0!important}.mb-0,.my-0{margin-bottom:0!important}.ml-0,.mx-0{margin-left:0!important}.m-1{margin:.25rem!important}.mt-1,.my-1{margin-top:.25rem!important}.mr-1,.mx-1{margin-right:.25rem!important}.mb-1,.my-1{margin-bottom:.25rem!important}.ml-1,.mx-1{margin-left:.25rem!important}.m-2{margin:.5rem!important}.mt-2,.my-2{margin-top:.5rem!important}.mr-2,.mx-2{margin-right:.5rem!important}.mb-2,.my-2{margin-bottom:.5rem!important}.ml-2,.mx-2{margin-left:.5rem!important}.m-3{margin:1rem!important}.mt-3,.my-3{margin-top:1rem!important}.mr-3,.mx-3{margin-right:1rem!important}.mb-3,.my-3{margin-bottom:1rem!important}.ml-3,.mx-3{margin-left:1rem!important}.m-4{margin:1.5rem!important}.mt-4,.my-4{margin-top:1.5rem!important}.mr-4,.mx-4{margin-right:1.5rem!important}.mb-4,.my-4{margin-bottom:1.5rem!important}.ml-4,.mx-4{margin-left:1.5rem!important}.m-5{margin:3rem!important}.mt-5,.my-5{margin-top:3rem!important}.mr-5,.mx-5{margin-right:3rem!important}.mb-5,.my-5{margin-bottom:3rem!important}.ml-5,.mx-5{margin-left:3rem!important}.p-0{padding:0!important}.pt-0,.py-0{padding-top:0!important}.pr-0,.px-0{padding-right:0!important}.pb-0,.py-0{padding-bottom:0!important}.pl-0,.px-0{padding-left:0!important}.p-1{padding:.25rem!important}.pt-1,.py-1{padding-top:.25rem!important}.pr-1,.px-1{padding-right:.25rem!important}.pb-1,.py-1{padding-bottom:.25rem!important}.pl-1,.px-1{padding-left:.25rem!important}.p-2{padding:.5rem!important}.pt-2,.py-2{padding-top:.5rem!important}.pr-2,.px-2{padding-right:.5rem!important}.pb-2,.py-2{padding-bottom:.5rem!important}.pl-2,.px-2{padding-left:.5rem!important}.p-3{padding:1rem!important}.pt-3,.py-3{padding-top:1rem!important}.pr-3,.px-3{padding-right:1rem!important}.pb-3,.py-3{padding-bottom:1rem!important}.pl-3,.px-3{padding-left:1rem!important}.p-4{padding:1.5rem!important}.pt-4,.py-4{padding-top:1.5rem!important}.pr-4,.px-4{padding-right:1.5rem!important}.pb-4,.py-4{padding-bottom:1.5rem!important}.pl-4,.px-4{padding-left:1.5rem!important}.p-5{padding:3rem!important}.pt-5,.py-5{padding-top:3rem!important}.pr-5,.px-5{padding-right:3rem!important}.pb-5,.py-5{padding-bottom:3rem!important}.pl-5,.px-5{padding-left:3rem!important}.m-n1{margin:-.25rem!important}.mt-n1,.my-n1{margin-top:-.25rem!important}.mr-n1,.mx-n1{margin-right:-.25rem!important}.mb-n1,.my-n1{margin-bottom:-.25rem!important}.ml-n1,.mx-n1{margin-left:-.25rem!important}.m-n2{margin:-.5rem!important}.mt-n2,.my-n2{margin-top:-.5rem!important}.mr-n2,.mx-n2{margin-right:-.5rem!important}.mb-n2,.my-n2{margin-bottom:-.5rem!important}.ml-n2,.mx-n2{margin-left:-.5rem!important}.m-n3{margin:-1rem!important}.mt-n3,.my-n3{margin-top:-1rem!important}.mr-n3,.mx-n3{margin-right:-1rem!important}.mb-n3,.my-n3{margin-bottom:-1rem!important}.ml-n3,.mx-n3{margin-left:-1rem!important}.m-n4{margin:-1.5rem!important}.mt-n4,.my-n4{margin-top:-1.5rem!important}.mr-n4,.mx-n4{margin-right:-1.5rem!important}.mb-n4,.my-n4{margin-bottom:-1.5rem!important}.ml-n4,.mx-n4{margin-left:-1.5rem!important}.m-n5{margin:-3rem!important}.mt-n5,.my-n5{margin-top:-3rem!important}.mr-n5,.mx-n5{margin-right:-3rem!important}.mb-n5,.my-n5{margin-bottom:-3rem!important}.ml-n5,.mx-n5{margin-left:-3rem!important}.m-auto{margin:auto!important}.mt-auto,.my-auto{margin-top:auto!important}.mr-auto,.mx-auto{margin-right:auto!important}.mb-auto,.my-auto{margin-bottom:auto!important}.ml-auto,.mx-auto{margin-left:auto!important}@media (min-width:576px){.m-sm-0{margin:0!important}.mt-sm-0,.my-sm-0{margin-top:0!important}.mr-sm-0,.mx-sm-0{margin-right:0!important}.mb-sm-0,.my-sm-0{margin-bottom:0!important}.ml-sm-0,.mx-sm-0{margin-left:0!important}.m-sm-1{margin:.25rem!important}.mt-sm-1,.my-sm-1{margin-top:.25rem!important}.mr-sm-1,.mx-sm-1{margin-right:.25rem!important}.mb-sm-1,.my-sm-1{margin-bottom:.25rem!important}.ml-sm-1,.mx-sm-1{margin-left:.25rem!important}.m-sm-2{margin:.5rem!important}.mt-sm-2,.my-sm-2{margin-top:.5rem!important}.mr-sm-2,.mx-sm-2{margin-right:.5rem!important}.mb-sm-2,.my-sm-2{margin-bottom:.5rem!important}.ml-sm-2,.mx-sm-2{margin-left:.5rem!important}.m-sm-3{margin:1rem!important}.mt-sm-3,.my-sm-3{margin-top:1rem!important}.mr-sm-3,.mx-sm-3{margin-right:1rem!important}.mb-sm-3,.my-sm-3{margin-bottom:1rem!important}.ml-sm-3,.mx-sm-3{margin-left:1rem!important}.m-sm-4{margin:1.5rem!important}.mt-sm-4,.my-sm-4{margin-top:1.5rem!important}.mr-sm-4,.mx-sm-4{margin-right:1.5rem!important}.mb-sm-4,.my-sm-4{margin-bottom:1.5rem!important}.ml-sm-4,.mx-sm-4{margin-left:1.5rem!important}.m-sm-5{margin:3rem!important}.mt-sm-5,.my-sm-5{margin-top:3rem!important}.mr-sm-5,.mx-sm-5{margin-right:3rem!important}.mb-sm-5,.my-sm-5{margin-bottom:3rem!important}.ml-sm-5,.mx-sm-5{margin-left:3rem!important}.p-sm-0{padding:0!important}.pt-sm-0,.py-sm-0{padding-top:0!important}.pr-sm-0,.px-sm-0{padding-right:0!important}.pb-sm-0,.py-sm-0{padding-bottom:0!important}.pl-sm-0,.px-sm-0{padding-left:0!important}.p-sm-1{padding:.25rem!important}.pt-sm-1,.py-sm-1{padding-top:.25rem!important}.pr-sm-1,.px-sm-1{padding-right:.25rem!important}.pb-sm-1,.py-sm-1{padding-bottom:.25rem!important}.pl-sm-1,.px-sm-1{padding-left:.25rem!important}.p-sm-2{padding:.5rem!important}.pt-sm-2,.py-sm-2{padding-top:.5rem!important}.pr-sm-2,.px-sm-2{padding-right:.5rem!important}.pb-sm-2,.py-sm-2{padding-bottom:.5rem!important}.pl-sm-2,.px-sm-2{padding-left:.5rem!important}.p-sm-3{padding:1rem!important}.pt-sm-3,.py-sm-3{padding-top:1rem!important}.pr-sm-3,.px-sm-3{padding-right:1rem!important}.pb-sm-3,.py-sm-3{padding-bottom:1rem!important}.pl-sm-3,.px-sm-3{padding-left:1rem!important}.p-sm-4{padding:1.5rem!important}.pt-sm-4,.py-sm-4{padding-top:1.5rem!important}.pr-sm-4,.px-sm-4{padding-right:1.5rem!important}.pb-sm-4,.py-sm-4{padding-bottom:1.5rem!important}.pl-sm-4,.px-sm-4{padding-left:1.5rem!important}.p-sm-5{padding:3rem!important}.pt-sm-5,.py-sm-5{padding-top:3rem!important}.pr-sm-5,.px-sm-5{padding-right:3rem!important}.pb-sm-5,.py-sm-5{padding-bottom:3rem!important}.pl-sm-5,.px-sm-5{padding-left:3rem!important}.m-sm-n1{margin:-.25rem!important}.mt-sm-n1,.my-sm-n1{margin-top:-.25rem!important}.mr-sm-n1,.mx-sm-n1{margin-right:-.25rem!important}.mb-sm-n1,.my-sm-n1{margin-bottom:-.25rem!important}.ml-sm-n1,.mx-sm-n1{margin-left:-.25rem!important}.m-sm-n2{margin:-.5rem!important}.mt-sm-n2,.my-sm-n2{margin-top:-.5rem!important}.mr-sm-n2,.mx-sm-n2{margin-right:-.5rem!important}.mb-sm-n2,.my-sm-n2{margin-bottom:-.5rem!important}.ml-sm-n2,.mx-sm-n2{margin-left:-.5rem!important}.m-sm-n3{margin:-1rem!important}.mt-sm-n3,.my-sm-n3{margin-top:-1rem!important}.mr-sm-n3,.mx-sm-n3{margin-right:-1rem!important}.mb-sm-n3,.my-sm-n3{margin-bottom:-1rem!important}.ml-sm-n3,.mx-sm-n3{margin-left:-1rem!important}.m-sm-n4{margin:-1.5rem!important}.mt-sm-n4,.my-sm-n4{margin-top:-1.5rem!important}.mr-sm-n4,.mx-sm-n4{margin-right:-1.5rem!important}.mb-sm-n4,.my-sm-n4{margin-bottom:-1.5rem!important}.ml-sm-n4,.mx-sm-n4{margin-left:-1.5rem!important}.m-sm-n5{margin:-3rem!important}.mt-sm-n5,.my-sm-n5{margin-top:-3rem!important}.mr-sm-n5,.mx-sm-n5{margin-right:-3rem!important}.mb-sm-n5,.my-sm-n5{margin-bottom:-3rem!important}.ml-sm-n5,.mx-sm-n5{margin-left:-3rem!important}.m-sm-auto{margin:auto!important}.mt-sm-auto,.my-sm-auto{margin-top:auto!important}.mr-sm-auto,.mx-sm-auto{margin-right:auto!important}.mb-sm-auto,.my-sm-auto{margin-bottom:auto!important}.ml-sm-auto,.mx-sm-auto{margin-left:auto!important}}@media (min-width:768px){.m-md-0{margin:0!important}.mt-md-0,.my-md-0{margin-top:0!important}.mr-md-0,.mx-md-0{margin-right:0!important}.mb-md-0,.my-md-0{margin-bottom:0!important}.ml-md-0,.mx-md-0{margin-left:0!important}.m-md-1{margin:.25rem!important}.mt-md-1,.my-md-1{margin-top:.25rem!important}.mr-md-1,.mx-md-1{margin-right:.25rem!important}.mb-md-1,.my-md-1{margin-bottom:.25rem!important}.ml-md-1,.mx-md-1{margin-left:.25rem!important}.m-md-2{margin:.5rem!important}.mt-md-2,.my-md-2{margin-top:.5rem!important}.mr-md-2,.mx-md-2{margin-right:.5rem!important}.mb-md-2,.my-md-2{margin-bottom:.5rem!important}.ml-md-2,.mx-md-2{margin-left:.5rem!important}.m-md-3{margin:1rem!important}.mt-md-3,.my-md-3{margin-top:1rem!important}.mr-md-3,.mx-md-3{margin-right:1rem!important}.mb-md-3,.my-md-3{margin-bottom:1rem!important}.ml-md-3,.mx-md-3{margin-left:1rem!important}.m-md-4{margin:1.5rem!important}.mt-md-4,.my-md-4{margin-top:1.5rem!important}.mr-md-4,.mx-md-4{margin-right:1.5rem!important}.mb-md-4,.my-md-4{margin-bottom:1.5rem!important}.ml-md-4,.mx-md-4{margin-left:1.5rem!important}.m-md-5{margin:3rem!important}.mt-md-5,.my-md-5{margin-top:3rem!important}.mr-md-5,.mx-md-5{margin-right:3rem!important}.mb-md-5,.my-md-5{margin-bottom:3rem!important}.ml-md-5,.mx-md-5{margin-left:3rem!important}.p-md-0{padding:0!important}.pt-md-0,.py-md-0{padding-top:0!important}.pr-md-0,.px-md-0{padding-right:0!important}.pb-md-0,.py-md-0{padding-bottom:0!important}.pl-md-0,.px-md-0{padding-left:0!important}.p-md-1{padding:.25rem!important}.pt-md-1,.py-md-1{padding-top:.25rem!important}.pr-md-1,.px-md-1{padding-right:.25rem!important}.pb-md-1,.py-md-1{padding-bottom:.25rem!important}.pl-md-1,.px-md-1{padding-left:.25rem!important}.p-md-2{padding:.5rem!important}.pt-md-2,.py-md-2{padding-top:.5rem!important}.pr-md-2,.px-md-2{padding-right:.5rem!important}.pb-md-2,.py-md-2{padding-bottom:.5rem!important}.pl-md-2,.px-md-2{padding-left:.5rem!important}.p-md-3{padding:1rem!important}.pt-md-3,.py-md-3{padding-top:1rem!important}.pr-md-3,.px-md-3{padding-right:1rem!important}.pb-md-3,.py-md-3{padding-bottom:1rem!important}.pl-md-3,.px-md-3{padding-left:1rem!important}.p-md-4{padding:1.5rem!important}.pt-md-4,.py-md-4{padding-top:1.5rem!important}.pr-md-4,.px-md-4{padding-right:1.5rem!important}.pb-md-4,.py-md-4{padding-bottom:1.5rem!important}.pl-md-4,.px-md-4{padding-left:1.5rem!important}.p-md-5{padding:3rem!important}.pt-md-5,.py-md-5{padding-top:3rem!important}.pr-md-5,.px-md-5{padding-right:3rem!important}.pb-md-5,.py-md-5{padding-bottom:3rem!important}.pl-md-5,.px-md-5{padding-left:3rem!important}.m-md-n1{margin:-.25rem!important}.mt-md-n1,.my-md-n1{margin-top:-.25rem!important}.mr-md-n1,.mx-md-n1{margin-right:-.25rem!important}.mb-md-n1,.my-md-n1{margin-bottom:-.25rem!important}.ml-md-n1,.mx-md-n1{margin-left:-.25rem!important}.m-md-n2{margin:-.5rem!important}.mt-md-n2,.my-md-n2{margin-top:-.5rem!important}.mr-md-n2,.mx-md-n2{margin-right:-.5rem!important}.mb-md-n2,.my-md-n2{margin-bottom:-.5rem!important}.ml-md-n2,.mx-md-n2{margin-left:-.5rem!important}.m-md-n3{margin:-1rem!important}.mt-md-n3,.my-md-n3{margin-top:-1rem!important}.mr-md-n3,.mx-md-n3{margin-right:-1rem!important}.mb-md-n3,.my-md-n3{margin-bottom:-1rem!important}.ml-md-n3,.mx-md-n3{margin-left:-1rem!important}.m-md-n4{margin:-1.5rem!important}.mt-md-n4,.my-md-n4{margin-top:-1.5rem!important}.mr-md-n4,.mx-md-n4{margin-right:-1.5rem!important}.mb-md-n4,.my-md-n4{margin-bottom:-1.5rem!important}.ml-md-n4,.mx-md-n4{margin-left:-1.5rem!important}.m-md-n5{margin:-3rem!important}.mt-md-n5,.my-md-n5{margin-top:-3rem!important}.mr-md-n5,.mx-md-n5{margin-right:-3rem!important}.mb-md-n5,.my-md-n5{margin-bottom:-3rem!important}.ml-md-n5,.mx-md-n5{margin-left:-3rem!important}.m-md-auto{margin:auto!important}.mt-md-auto,.my-md-auto{margin-top:auto!important}.mr-md-auto,.mx-md-auto{margin-right:auto!important}.mb-md-auto,.my-md-auto{margin-bottom:auto!important}.ml-md-auto,.mx-md-auto{margin-left:auto!important}}@media (min-width:992px){.m-lg-0{margin:0!important}.mt-lg-0,.my-lg-0{margin-top:0!important}.mr-lg-0,.mx-lg-0{margin-right:0!important}.mb-lg-0,.my-lg-0{margin-bottom:0!important}.ml-lg-0,.mx-lg-0{margin-left:0!important}.m-lg-1{margin:.25rem!important}.mt-lg-1,.my-lg-1{margin-top:.25rem!important}.mr-lg-1,.mx-lg-1{margin-right:.25rem!important}.mb-lg-1,.my-lg-1{margin-bottom:.25rem!important}.ml-lg-1,.mx-lg-1{margin-left:.25rem!important}.m-lg-2{margin:.5rem!important}.mt-lg-2,.my-lg-2{margin-top:.5rem!important}.mr-lg-2,.mx-lg-2{margin-right:.5rem!important}.mb-lg-2,.my-lg-2{margin-bottom:.5rem!important}.ml-lg-2,.mx-lg-2{margin-left:.5rem!important}.m-lg-3{margin:1rem!important}.mt-lg-3,.my-lg-3{margin-top:1rem!important}.mr-lg-3,.mx-lg-3{margin-right:1rem!important}.mb-lg-3,.my-lg-3{margin-bottom:1rem!important}.ml-lg-3,.mx-lg-3{margin-left:1rem!important}.m-lg-4{margin:1.5rem!important}.mt-lg-4,.my-lg-4{margin-top:1.5rem!important}.mr-lg-4,.mx-lg-4{margin-right:1.5rem!important}.mb-lg-4,.my-lg-4{margin-bottom:1.5rem!important}.ml-lg-4,.mx-lg-4{margin-left:1.5rem!important}.m-lg-5{margin:3rem!important}.mt-lg-5,.my-lg-5{margin-top:3rem!important}.mr-lg-5,.mx-lg-5{margin-right:3rem!important}.mb-lg-5,.my-lg-5{margin-bottom:3rem!important}.ml-lg-5,.mx-lg-5{margin-left:3rem!important}.p-lg-0{padding:0!important}.pt-lg-0,.py-lg-0{padding-top:0!important}.pr-lg-0,.px-lg-0{padding-right:0!important}.pb-lg-0,.py-lg-0{padding-bottom:0!important}.pl-lg-0,.px-lg-0{padding-left:0!important}.p-lg-1{padding:.25rem!important}.pt-lg-1,.py-lg-1{padding-top:.25rem!important}.pr-lg-1,.px-lg-1{padding-right:.25rem!important}.pb-lg-1,.py-lg-1{padding-bottom:.25rem!important}.pl-lg-1,.px-lg-1{padding-left:.25rem!important}.p-lg-2{padding:.5rem!important}.pt-lg-2,.py-lg-2{padding-top:.5rem!important}.pr-lg-2,.px-lg-2{padding-right:.5rem!important}.pb-lg-2,.py-lg-2{padding-bottom:.5rem!important}.pl-lg-2,.px-lg-2{padding-left:.5rem!important}.p-lg-3{padding:1rem!important}.pt-lg-3,.py-lg-3{padding-top:1rem!important}.pr-lg-3,.px-lg-3{padding-right:1rem!important}.pb-lg-3,.py-lg-3{padding-bottom:1rem!important}.pl-lg-3,.px-lg-3{padding-left:1rem!important}.p-lg-4{padding:1.5rem!important}.pt-lg-4,.py-lg-4{padding-top:1.5rem!important}.pr-lg-4,.px-lg-4{padding-right:1.5rem!important}.pb-lg-4,.py-lg-4{padding-bottom:1.5rem!important}.pl-lg-4,.px-lg-4{padding-left:1.5rem!important}.p-lg-5{padding:3rem!important}.pt-lg-5,.py-lg-5{padding-top:3rem!important}.pr-lg-5,.px-lg-5{padding-right:3rem!important}.pb-lg-5,.py-lg-5{padding-bottom:3rem!important}.pl-lg-5,.px-lg-5{padding-left:3rem!important}.m-lg-n1{margin:-.25rem!important}.mt-lg-n1,.my-lg-n1{margin-top:-.25rem!important}.mr-lg-n1,.mx-lg-n1{margin-right:-.25rem!important}.mb-lg-n1,.my-lg-n1{margin-bottom:-.25rem!important}.ml-lg-n1,.mx-lg-n1{margin-left:-.25rem!important}.m-lg-n2{margin:-.5rem!important}.mt-lg-n2,.my-lg-n2{margin-top:-.5rem!important}.mr-lg-n2,.mx-lg-n2{margin-right:-.5rem!important}.mb-lg-n2,.my-lg-n2{margin-bottom:-.5rem!important}.ml-lg-n2,.mx-lg-n2{margin-left:-.5rem!important}.m-lg-n3{margin:-1rem!important}.mt-lg-n3,.my-lg-n3{margin-top:-1rem!important}.mr-lg-n3,.mx-lg-n3{margin-right:-1rem!important}.mb-lg-n3,.my-lg-n3{margin-bottom:-1rem!important}.ml-lg-n3,.mx-lg-n3{margin-left:-1rem!important}.m-lg-n4{margin:-1.5rem!important}.mt-lg-n4,.my-lg-n4{margin-top:-1.5rem!important}.mr-lg-n4,.mx-lg-n4{margin-right:-1.5rem!important}.mb-lg-n4,.my-lg-n4{margin-bottom:-1.5rem!important}.ml-lg-n4,.mx-lg-n4{margin-left:-1.5rem!important}.m-lg-n5{margin:-3rem!important}.mt-lg-n5,.my-lg-n5{margin-top:-3rem!important}.mr-lg-n5,.mx-lg-n5{margin-right:-3rem!important}.mb-lg-n5,.my-lg-n5{margin-bottom:-3rem!important}.ml-lg-n5,.mx-lg-n5{margin-left:-3rem!important}.m-lg-auto{margin:auto!important}.mt-lg-auto,.my-lg-auto{margin-top:auto!important}.mr-lg-auto,.mx-lg-auto{margin-right:auto!important}.mb-lg-auto,.my-lg-auto{margin-bottom:auto!important}.ml-lg-auto,.mx-lg-auto{margin-left:auto!important}}@media (min-width:1200px){.m-xl-0{margin:0!important}.mt-xl-0,.my-xl-0{margin-top:0!important}.mr-xl-0,.mx-xl-0{margin-right:0!important}.mb-xl-0,.my-xl-0{margin-bottom:0!important}.ml-xl-0,.mx-xl-0{margin-left:0!important}.m-xl-1{margin:.25rem!important}.mt-xl-1,.my-xl-1{margin-top:.25rem!important}.mr-xl-1,.mx-xl-1{margin-right:.25rem!important}.mb-xl-1,.my-xl-1{margin-bottom:.25rem!important}.ml-xl-1,.mx-xl-1{margin-left:.25rem!important}.m-xl-2{margin:.5rem!important}.mt-xl-2,.my-xl-2{margin-top:.5rem!important}.mr-xl-2,.mx-xl-2{margin-right:.5rem!important}.mb-xl-2,.my-xl-2{margin-bottom:.5rem!important}.ml-xl-2,.mx-xl-2{margin-left:.5rem!important}.m-xl-3{margin:1rem!important}.mt-xl-3,.my-xl-3{margin-top:1rem!important}.mr-xl-3,.mx-xl-3{margin-right:1rem!important}.mb-xl-3,.my-xl-3{margin-bottom:1rem!important}.ml-xl-3,.mx-xl-3{margin-left:1rem!important}.m-xl-4{margin:1.5rem!important}.mt-xl-4,.my-xl-4{margin-top:1.5rem!important}.mr-xl-4,.mx-xl-4{margin-right:1.5rem!important}.mb-xl-4,.my-xl-4{margin-bottom:1.5rem!important}.ml-xl-4,.mx-xl-4{margin-left:1.5rem!important}.m-xl-5{margin:3rem!important}.mt-xl-5,.my-xl-5{margin-top:3rem!important}.mr-xl-5,.mx-xl-5{margin-right:3rem!important}.mb-xl-5,.my-xl-5{margin-bottom:3rem!important}.ml-xl-5,.mx-xl-5{margin-left:3rem!important}.p-xl-0{padding:0!important}.pt-xl-0,.py-xl-0{padding-top:0!important}.pr-xl-0,.px-xl-0{padding-right:0!important}.pb-xl-0,.py-xl-0{padding-bottom:0!important}.pl-xl-0,.px-xl-0{padding-left:0!important}.p-xl-1{padding:.25rem!important}.pt-xl-1,.py-xl-1{padding-top:.25rem!important}.pr-xl-1,.px-xl-1{padding-right:.25rem!important}.pb-xl-1,.py-xl-1{padding-bottom:.25rem!important}.pl-xl-1,.px-xl-1{padding-left:.25rem!important}.p-xl-2{padding:.5rem!important}.pt-xl-2,.py-xl-2{padding-top:.5rem!important}.pr-xl-2,.px-xl-2{padding-right:.5rem!important}.pb-xl-2,.py-xl-2{padding-bottom:.5rem!important}.pl-xl-2,.px-xl-2{padding-left:.5rem!important}.p-xl-3{padding:1rem!important}.pt-xl-3,.py-xl-3{padding-top:1rem!important}.pr-xl-3,.px-xl-3{padding-right:1rem!important}.pb-xl-3,.py-xl-3{padding-bottom:1rem!important}.pl-xl-3,.px-xl-3{padding-left:1rem!important}.p-xl-4{padding:1.5rem!important}.pt-xl-4,.py-xl-4{padding-top:1.5rem!important}.pr-xl-4,.px-xl-4{padding-right:1.5rem!important}.pb-xl-4,.py-xl-4{padding-bottom:1.5rem!important}.pl-xl-4,.px-xl-4{padding-left:1.5rem!important}.p-xl-5{padding:3rem!important}.pt-xl-5,.py-xl-5{padding-top:3rem!important}.pr-xl-5,.px-xl-5{padding-right:3rem!important}.pb-xl-5,.py-xl-5{padding-bottom:3rem!important}.pl-xl-5,.px-xl-5{padding-left:3rem!important}.m-xl-n1{margin:-.25rem!important}.mt-xl-n1,.my-xl-n1{margin-top:-.25rem!important}.mr-xl-n1,.mx-xl-n1{margin-right:-.25rem!important}.mb-xl-n1,.my-xl-n1{margin-bottom:-.25rem!important}.ml-xl-n1,.mx-xl-n1{margin-left:-.25rem!important}.m-xl-n2{margin:-.5rem!important}.mt-xl-n2,.my-xl-n2{margin-top:-.5rem!important}.mr-xl-n2,.mx-xl-n2{margin-right:-.5rem!important}.mb-xl-n2,.my-xl-n2{margin-bottom:-.5rem!important}.ml-xl-n2,.mx-xl-n2{margin-left:-.5rem!important}.m-xl-n3{margin:-1rem!important}.mt-xl-n3,.my-xl-n3{margin-top:-1rem!important}.mr-xl-n3,.mx-xl-n3{margin-right:-1rem!important}.mb-xl-n3,.my-xl-n3{margin-bottom:-1rem!important}.ml-xl-n3,.mx-xl-n3{margin-left:-1rem!important}.m-xl-n4{margin:-1.5rem!important}.mt-xl-n4,.my-xl-n4{margin-top:-1.5rem!important}.mr-xl-n4,.mx-xl-n4{margin-right:-1.5rem!important}.mb-xl-n4,.my-xl-n4{margin-bottom:-1.5rem!important}.ml-xl-n4,.mx-xl-n4{margin-left:-1.5rem!important}.m-xl-n5{margin:-3rem!important}.mt-xl-n5,.my-xl-n5{margin-top:-3rem!important}.mr-xl-n5,.mx-xl-n5{margin-right:-3rem!important}.mb-xl-n5,.my-xl-n5{margin-bottom:-3rem!important}.ml-xl-n5,.mx-xl-n5{margin-left:-3rem!important}.m-xl-auto{margin:auto!important}.mt-xl-auto,.my-xl-auto{margin-top:auto!important}.mr-xl-auto,.mx-xl-auto{margin-right:auto!important}.mb-xl-auto,.my-xl-auto{margin-bottom:auto!important}.ml-xl-auto,.mx-xl-auto{margin-left:auto!important}}.stretched-link::after{position:absolute;top:0;right:0;bottom:0;left:0;z-index:1;pointer-events:auto;content:"";background-color:rgba(0,0,0,0)}.text-monospace{font-family:SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",monospace!important}.text-justify{text-align:justify!important}.text-wrap{white-space:normal!important}.text-nowrap{white-space:nowrap!important}.text-truncate{overflow:hidden;text-overflow:ellipsis;white-space:nowrap}.text-left{text-align:left!important}.text-right{text-align:right!important}.text-center{text-align:center!important}@media (min-width:576px){.text-sm-left{text-align:left!important}.text-sm-right{text-align:right!important}.text-sm-center{text-align:center!important}}@media (min-width:768px){.text-md-left{text-align:left!important}.text-md-right{text-align:right!important}.text-md-center{text-align:center!important}}@media (min-width:992px){.text-lg-left{text-align:left!important}.text-lg-right{text-align:right!important}.text-lg-center{text-align:center!important}}@media (min-width:1200px){.text-xl-left{text-align:left!important}.text-xl-right{text-align:right!important}.text-xl-center{text-align:center!important}}.text-lowercase{text-transform:lowercase!important}.text-uppercase{text-transform:uppercase!important}.text-capitalize{text-transform:capitalize!important}.font-weight-light{font-weight:300!important}.font-weight-lighter{font-weight:lighter!important}.font-weight-normal{font-weight:400!important}.font-weight-bold{font-weight:700!important}.font-weight-bolder{font-weight:bolder!important}.font-italic{font-style:italic!important}.text-white{color:#fff!important}.text-primary{color:#007bff!important}a.text-primary:focus,a.text-primary:hover{color:#0056b3!important}.text-secondary{color:#6c757d!important}a.text-secondary:focus,a.text-secondary:hover{color:#494f54!important}.text-success{color:#28a745!important}a.text-success:focus,a.text-success:hover{color:#19692c!important}.text-info{color:#17a2b8!important}a.text-info:focus,a.text-info:hover{color:#0f6674!important}.text-warning{color:#ffc107!important}a.text-warning:focus,a.text-warning:hover{color:#ba8b00!important}.text-danger{color:#dc3545!important}a.text-danger:focus,a.text-danger:hover{color:#a71d2a!important}.text-light{color:#f8f9fa!important}a.text-light:focus,a.text-light:hover{color:#cbd3da!important}.text-dark{color:#343a40!important}a.text-dark:focus,a.text-dark:hover{color:#121416!important}.text-body{color:#212529!important}.text-muted{color:#6c757d!important}.text-black-50{color:rgba(0,0,0,.5)!important}.text-white-50{color:rgba(255,255,255,.5)!important}.text-hide{font:0/0 a;color:transparent;text-shadow:none;background-color:transparent;border:0}.text-decoration-none{text-decoration:none!important}.text-break{word-wrap:break-word!important}.text-reset{color:inherit!important}.visible{visibility:visible!important}.invisible{visibility:hidden!important}@media print{*,::after,::before{text-shadow:none!important;box-shadow:none!important}a:not(.btn){text-decoration:underline}abbr[title]::after{content:" (" attr(title) ")"}pre{white-space:pre-wrap!important}blockquote,pre{border:1px solid #adb5bd;page-break-inside:avoid}thead{display:table-header-group}img,tr{page-break-inside:avoid}h2,h3,p{orphans:3;widows:3}h2,h3{page-break-after:avoid}@page{size:a3}body{min-width:992px!important}.container{min-width:992px!important}.navbar{display:none}.badge{border:1px solid #000}.table{border-collapse:collapse!important}.table td,.table th{background-color:#fff!important}.table-bordered td,.table-bordered th{border:1px solid #dee2e6!important}.table-dark{color:inherit}.table-dark tbody+tbody,.table-dark td,.table-dark th,.table-dark thead th{border-color:#dee2e6}.table .thead-dark th{color:inherit;border-color:#dee2e6}}
+/*# sourceMappingURL=bootstrap.min.css.map */
\ No newline at end of file
diff --git a/example/src/main/resources/static/index.html b/example/src/main/resources/static/index.html
index 19c2de0..db07454 100644
--- a/example/src/main/resources/static/index.html
+++ b/example/src/main/resources/static/index.html
@@ -5,9 +5,8 @@
     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"/>
     <title>Web eID: electronic ID smart cards on the Web</title>
     <link
-            href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css"
+            href="/css/bootstrap.min.css"
             rel="stylesheet"
-            crossorigin="anonymous"
     />
     <link
             href="/css/main.css"
diff --git a/example/src/main/resources/templates/welcome-with-file-upload-support.html b/example/src/main/resources/templates/welcome-with-file-upload-support.html
index 6734cfe..7b14aa3 100644
--- a/example/src/main/resources/templates/welcome-with-file-upload-support.html
+++ b/example/src/main/resources/templates/welcome-with-file-upload-support.html
@@ -5,9 +5,8 @@
         <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" />
         <title>Welcome!</title>
         <link
-            href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css"
+            href="/css/bootstrap.min.css"
             rel="stylesheet"
-            crossorigin="anonymous"
         />
         <link
             href="/css/main.css"
diff --git a/example/src/main/resources/templates/welcome.html b/example/src/main/resources/templates/welcome.html
index 7d2beeb..b41ba95 100644
--- a/example/src/main/resources/templates/welcome.html
+++ b/example/src/main/resources/templates/welcome.html
@@ -5,9 +5,8 @@
     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"/>
     <title>Welcome!</title>
     <link
-            href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css"
+            href="/css/bootstrap.min.css"
             rel="stylesheet"
-            crossorigin="anonymous"
     />
     <link
             href="/css/main.css"

From 0f77c9a08154230e8b851dbdc6b4f0af947fe12f Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Thu, 15 Jul 2021 13:38:23 +0300
Subject: [PATCH 035/116] security: turn on CSRF protection

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 .../example/config/ApplicationConfiguration.java     |  7 ++-----
 .../main/resources/{static => templates}/index.html  | 12 +++++++++++-
 example/src/main/resources/templates/welcome.html    | 12 +++++++++++-
 .../java/org/webeid/example/testutil/HttpHelper.java |  4 ++++
 4 files changed, 28 insertions(+), 7 deletions(-)
 rename example/src/main/resources/{static => templates}/index.html (96%)

diff --git a/example/src/main/java/org/webeid/example/config/ApplicationConfiguration.java b/example/src/main/java/org/webeid/example/config/ApplicationConfiguration.java
index 0d52175..e77b4c8 100644
--- a/example/src/main/java/org/webeid/example/config/ApplicationConfiguration.java
+++ b/example/src/main/java/org/webeid/example/config/ApplicationConfiguration.java
@@ -69,15 +69,12 @@ protected void configure(HttpSecurity http) throws Exception {
             .logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler())
          .and()
             .headers()
-            .frameOptions()
-            .sameOrigin()
-         .and()
-            .csrf()
-            .disable();
+                .frameOptions().sameOrigin();
         // @formatter:on
     }
 
     public void addViewControllers(ViewControllerRegistry registry) {
+        registry.addViewController("/").setViewName("index");
         registry.addViewController("/welcome").setViewName("welcome");
     }
 
diff --git a/example/src/main/resources/static/index.html b/example/src/main/resources/templates/index.html
similarity index 96%
rename from example/src/main/resources/static/index.html
rename to example/src/main/resources/templates/index.html
index db07454..9be1e83 100644
--- a/example/src/main/resources/static/index.html
+++ b/example/src/main/resources/templates/index.html
@@ -3,6 +3,10 @@
 <head>
     <meta charset="UTF-8"/>
     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"/>
+
+    <meta id="csrftoken" name="csrftoken" th:content="${_csrf.token}"/>
+    <meta id="csrfheadername" name="csrfheadername" th:content="${_csrf.headerName}"/>
+
     <title>Web eID: electronic ID smart cards on the Web</title>
     <link
             href="/css/bootstrap.min.css"
@@ -218,10 +222,16 @@ <h3><a id="for-developers"></a>For developers</h3>
 
     const authButton = document.querySelector("#webeid-auth-button");
 
+    const csrfToken = document.querySelector('#csrftoken').content;
+    const csrfHeaderName = document.querySelector('#csrfheadername').content;
+
     authButton.addEventListener("click", async () => {
         const options = {
             getAuthChallengeUrl: window.location.origin + "/auth/challenge",
-            postAuthTokenUrl: window.location.origin + "/auth/login"
+            postAuthTokenUrl: window.location.origin + "/auth/login",
+            headers: {
+                [csrfHeaderName]: csrfToken
+            }
         };
 
         hideErrorMessage();
diff --git a/example/src/main/resources/templates/welcome.html b/example/src/main/resources/templates/welcome.html
index b41ba95..e2d8221 100644
--- a/example/src/main/resources/templates/welcome.html
+++ b/example/src/main/resources/templates/welcome.html
@@ -3,6 +3,10 @@
 <head>
     <meta charset="UTF-8"/>
     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"/>
+
+    <meta id="csrftoken" name="csrftoken" th:content="${_csrf.token}"/>
+    <meta id="csrfheadername" name="csrfheadername" th:content="${_csrf.headerName}"/>
+
     <title>Welcome!</title>
     <link
             href="/css/bootstrap.min.css"
@@ -64,10 +68,16 @@ <h2 class="adding-signature">Digital signing</h2>
         window.location.href = "/sign/download";
     });
 
+    const csrfToken = document.querySelector('#csrftoken').content;
+    const csrfHeaderName = document.querySelector('#csrfheadername').content;
+
     signButton.addEventListener("click", async () => {
         const options = {
             postPrepareSigningUrl: window.location.origin + "/sign/prepare",
-            postFinalizeSigningUrl: window.location.origin + "/sign/sign"
+            postFinalizeSigningUrl: window.location.origin + "/sign/sign",
+            headers: {
+                [csrfHeaderName]: csrfToken
+            }
         };
 
         hideErrorMessage();
diff --git a/example/src/test/java/org/webeid/example/testutil/HttpHelper.java b/example/src/test/java/org/webeid/example/testutil/HttpHelper.java
index 9ec2f99..4becbd7 100644
--- a/example/src/test/java/org/webeid/example/testutil/HttpHelper.java
+++ b/example/src/test/java/org/webeid/example/testutil/HttpHelper.java
@@ -32,6 +32,7 @@
 import org.webeid.example.service.dto.CertificateDTO;
 import org.webeid.example.service.dto.SignatureDTO;
 
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
 
@@ -43,6 +44,7 @@ public static MockHttpServletResponse login(DefaultMockMvcBuilder mvcBuilder, Mo
                 .build()
                 .perform(post("/auth/login")
                         .session(session)
+                        .with(csrf())
                         .contentType(MediaType.APPLICATION_JSON)
                         .content(ObjectMother.toJson(authTokenDTO)))
                 .andReturn()
@@ -68,6 +70,7 @@ public static MockHttpServletResponse prepare(DefaultMockMvcBuilder mvcBuilder,
                 .build()
                 .perform(post("/sign/prepare")
                         .session(session)
+                        .with(csrf())
                         .contentType(MediaType.APPLICATION_JSON)
                         .content(ObjectMother.toJson(certificateDTO)))
                 .andReturn()
@@ -81,6 +84,7 @@ public static MockHttpServletResponse sign(DefaultMockMvcBuilder mvcBuilder, Moc
                 .build()
                 .perform(post("/sign/sign")
                         .session(session)
+                        .with(csrf())
                         .contentType(MediaType.APPLICATION_JSON)
                         .content(ObjectMother.toJson(signatureDTO)))
                 .andReturn()

From 7174d870b204377203fdb0c7e3c12f1fefddf26d Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Thu, 15 Jul 2021 14:31:01 +0300
Subject: [PATCH 036/116] refactor: move settings from application.properties
 to application.yaml

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 example/src/main/resources/application.properties |  7 -------
 example/src/main/resources/application.yaml       | 10 ++++++++++
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/example/src/main/resources/application.properties b/example/src/main/resources/application.properties
index d1c337f..cbb42d2 100644
--- a/example/src/main/resources/application.properties
+++ b/example/src/main/resources/application.properties
@@ -1,8 +1 @@
 spring.profiles.active=dev
-# Make session cookie secure behind a reverse proxy, see
-# - https://docs.spring.io/spring-boot/docs/2.2.5.RELEASE/reference/htmlsingle/#howto-use-behind-a-proxy-server
-# - https://docs.spring.io/spring-boot/docs/2.2.5.RELEASE/reference/htmlsingle/#howto-enable-https
-server.forward-headers-strategy=native
-server.tomcat.remote-ip-header=x-forwarded-for
-server.tomcat.protocol-header=x-forwarded-proto
-# server.servlet.session.cookie.secure=true -- implicit when HTTPS is detected
diff --git a/example/src/main/resources/application.yaml b/example/src/main/resources/application.yaml
index 2c53a60..4c82178 100644
--- a/example/src/main/resources/application.yaml
+++ b/example/src/main/resources/application.yaml
@@ -5,6 +5,16 @@ spring:
       max-file-size: 5000KB
       max-request-size: 5000KB
 
+# Make session cookie secure behind a reverse proxy, see
+# - https://docs.spring.io/spring-boot/docs/2.2.5.RELEASE/reference/htmlsingle/#howto-use-behind-a-proxy-server
+# - https://docs.spring.io/spring-boot/docs/2.2.5.RELEASE/reference/htmlsingle/#howto-enable-https
+# Note that `server.servlet.session.cookie.secure` is implicitly true when HTTPS is detected.
+server:
+  forward-headers-strategy: native
+  tomcat:
+    remote-ip-header: x-forwarded-for
+    protocol-header: x-forwarded-proto
+
 logging:
   level:
     org.webeid.security: DEBUG

From c8746bf9fbf0a9a8f091a40e771529dd00a5be78 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Mon, 19 Jul 2021 22:24:22 +0300
Subject: [PATCH 037/116] feat(security): assure that authenticated subject
 matches with signing certificate subject

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 .../config/ValidationConfiguration.java       |   2 -
 .../AuthTokenDTOAuthenticationProvider.java   |  10 +----
 .../security/WebEidAuthentication.java        |  37 ++++++++++++++++++
 .../example/service/SigningService.java       |  34 ++++++++--------
 .../example/web/rest/SigningController.java   |   5 ++-
 .../webeid/example/WebApplicationTest.java    |   2 +-
 example/src/test/resources/signout.p12        | Bin 3061 -> 2890 bytes
 7 files changed, 61 insertions(+), 29 deletions(-)
 create mode 100644 example/src/main/java/org/webeid/example/security/WebEidAuthentication.java

diff --git a/example/src/main/java/org/webeid/example/config/ValidationConfiguration.java b/example/src/main/java/org/webeid/example/config/ValidationConfiguration.java
index 2df70d9..c52854a 100644
--- a/example/src/main/java/org/webeid/example/config/ValidationConfiguration.java
+++ b/example/src/main/java/org/webeid/example/config/ValidationConfiguration.java
@@ -135,8 +135,6 @@ public AuthTokenValidator validator() {
         try {
             return new AuthTokenValidatorBuilder()
                     .withSiteOrigin(URI.create(yamlConfig().getLocalOrigin()))
-                    // TODO: it is still open what the validation library should do when cert fingerprint validation is enabled but fingerprint is null (as in Chrome).
-                    // .withSiteCertificateSha256Fingerprint(yamlConfig().getFingerprint())
                     .withNonceCache(nonceCache())
                     .withTrustedCertificateAuthorities(loadTrustedCACertificatesFromResources())
                     .withTrustedCertificateAuthorities(loadTrustedCACertificatesFromKeyStore())
diff --git a/example/src/main/java/org/webeid/example/security/AuthTokenDTOAuthenticationProvider.java b/example/src/main/java/org/webeid/example/security/AuthTokenDTOAuthenticationProvider.java
index de22a3c..1f27338 100644
--- a/example/src/main/java/org/webeid/example/security/AuthTokenDTOAuthenticationProvider.java
+++ b/example/src/main/java/org/webeid/example/security/AuthTokenDTOAuthenticationProvider.java
@@ -68,8 +68,8 @@ public Authentication authenticate(Authentication auth) throws AuthenticationExc
         authorities.add(USER_ROLE);
 
         try {
-            X509Certificate userCertificate = tokenValidator.validate(token);
-            return new PreAuthenticatedAuthenticationToken(getPrincipalFromCertificate(userCertificate), null, authorities);
+            final X509Certificate userCertificate = tokenValidator.validate(token);
+            return WebEidAuthentication.fromCertificate(userCertificate, authorities);
         } catch (TokenValidationException e) {
             LOG.warn("Token validation has failed", e);
             throw new AuthenticationServiceException("Token validation failed: " + e.getMessage());
@@ -85,10 +85,4 @@ public boolean supports(Class<?> authentication) {
         return PreAuthenticatedAuthenticationToken.class.equals(authentication);
     }
 
-    // FIXME: create a proper principal object
-    private String getPrincipalFromCertificate(X509Certificate userCertificate) throws CertificateEncodingException {
-        return CertUtil.getSubjectGivenName(userCertificate) + ' ' +
-                CertUtil.getSubjectSurname(userCertificate) + ", " +
-                CertUtil.getSubjectIdCode(userCertificate);
-    }
 }
diff --git a/example/src/main/java/org/webeid/example/security/WebEidAuthentication.java b/example/src/main/java/org/webeid/example/security/WebEidAuthentication.java
new file mode 100644
index 0000000..f935aab
--- /dev/null
+++ b/example/src/main/java/org/webeid/example/security/WebEidAuthentication.java
@@ -0,0 +1,37 @@
+package org.webeid.example.security;
+
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
+import org.webeid.security.util.CertUtil;
+
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
+import java.util.List;
+import java.util.Objects;
+
+public class WebEidAuthentication extends PreAuthenticatedAuthenticationToken implements Authentication {
+
+    private final String idCode;
+
+    public static Authentication fromCertificate(X509Certificate userCertificate, List<GrantedAuthority> authorities) throws CertificateEncodingException {
+        final String principalName = getPrincipalNameFromCertificate(userCertificate);
+        final String idCode = Objects.requireNonNull(CertUtil.getSubjectIdCode(userCertificate));
+        return new WebEidAuthentication(principalName, idCode, authorities);
+    }
+
+    public String getIdCode() {
+        return idCode;
+    }
+
+    private WebEidAuthentication(String principalName, String idCode, List<GrantedAuthority> authorities) {
+        super(principalName, idCode, authorities);
+        this.idCode = idCode;
+    }
+
+    private static String getPrincipalNameFromCertificate(X509Certificate userCertificate) throws CertificateEncodingException {
+        return Objects.requireNonNull(CertUtil.getSubjectGivenName(userCertificate)) + ' ' +
+                Objects.requireNonNull(CertUtil.getSubjectSurname(userCertificate));
+    }
+
+}
diff --git a/example/src/main/java/org/webeid/example/service/SigningService.java b/example/src/main/java/org/webeid/example/service/SigningService.java
index f350dc2..43eddde 100644
--- a/example/src/main/java/org/webeid/example/service/SigningService.java
+++ b/example/src/main/java/org/webeid/example/service/SigningService.java
@@ -32,11 +32,13 @@
 import org.springframework.core.io.ByteArrayResource;
 import org.springframework.stereotype.Service;
 import org.webeid.example.config.YAMLConfig;
+import org.webeid.example.security.WebEidAuthentication;
 import org.webeid.example.service.dto.CertificateDTO;
 import org.webeid.example.service.dto.DigestDTO;
 import org.webeid.example.service.dto.FileDTO;
 import org.webeid.example.service.dto.SignatureDTO;
 import org.webeid.example.web.rest.SigningController;
+import org.webeid.security.util.CertUtil;
 
 import javax.servlet.http.HttpSession;
 import javax.xml.bind.DatatypeConverter;
@@ -74,13 +76,19 @@ private HttpSession currentSession() {
      * Prepares given container {@link Container} for the signature process.
      *
      * @param certificateDTO user's X.509 certificate
+     * @param authentication authenticated principal
      * @return data to be signed
      */
-    public DigestDTO prepareContainer(CertificateDTO certificateDTO) throws CertificateException, NoSuchAlgorithmException, IOException {
+    public DigestDTO prepareContainer(CertificateDTO certificateDTO, WebEidAuthentication authentication) throws CertificateException, NoSuchAlgorithmException, IOException {
+        X509Certificate certificate = certificateDTO.toX509Certificate();
+        if (!authentication.getIdCode().equals(CertUtil.getSubjectIdCode(certificate))) {
+            throw new IllegalArgumentException("Authenticated subject ID code differs from " +
+                    "signing certificate subject ID code");
+        }
+
         FileDTO fileDTO = FileDTO.getExampleForSigningFromResources();
         Container containerToSign = getContainerToSign(fileDTO);
         String containerName = generateContainerName(fileDTO.getName());
-        X509Certificate certificate = certificateDTO.toX509Certificate();
 
         currentSession().setAttribute(SESSION_ATTR_CONTAINER, containerToSign);
         currentSession().setAttribute(SESSION_ATTR_FILE, fileDTO);
@@ -118,22 +126,16 @@ public DigestDTO prepareContainer(CertificateDTO certificateDTO) throws Certific
      * @return fileDTO
      */
     public FileDTO signContainer(SignatureDTO signatureDTO) {
-        try {
-            FileDTO fileDTO = (FileDTO) Objects.requireNonNull(currentSession().getAttribute(SESSION_ATTR_FILE));
-            Container containerToSign = (Container) Objects.requireNonNull(currentSession().getAttribute(SESSION_ATTR_CONTAINER));
-            DataToSign dataToSign = (DataToSign) Objects.requireNonNull(currentSession().getAttribute(SESSION_ATTR_DATA));
-
-            byte[] signatureBytes = DatatypeConverter.parseBase64Binary(signatureDTO.getBase64Signature());
-            Signature signature = dataToSign.finalize(signatureBytes);
-            containerToSign.addSignature(signature);
-            currentSession().setAttribute(SESSION_ATTR_CONTAINER, containerToSign);
+        FileDTO fileDTO = (FileDTO) Objects.requireNonNull(currentSession().getAttribute(SESSION_ATTR_FILE));
+        Container containerToSign = (Container) Objects.requireNonNull(currentSession().getAttribute(SESSION_ATTR_CONTAINER));
+        DataToSign dataToSign = (DataToSign) Objects.requireNonNull(currentSession().getAttribute(SESSION_ATTR_DATA));
 
-            return new FileDTO(generateContainerName(fileDTO.getName()));
+        byte[] signatureBytes = DatatypeConverter.parseBase64Binary(signatureDTO.getBase64Signature());
+        Signature signature = dataToSign.finalize(signatureBytes);
+        containerToSign.addSignature(signature);
+        currentSession().setAttribute(SESSION_ATTR_CONTAINER, containerToSign);
 
-        } catch (Exception ex) {
-            LOG.error("Signing of container caused an error", ex);
-            throw new RuntimeException("Signing of container caused an error");
-        }
+        return new FileDTO(generateContainerName(fileDTO.getName()));
     }
 
     public String getContainerName() {
diff --git a/example/src/main/java/org/webeid/example/web/rest/SigningController.java b/example/src/main/java/org/webeid/example/web/rest/SigningController.java
index 5cb934f..652105c 100644
--- a/example/src/main/java/org/webeid/example/web/rest/SigningController.java
+++ b/example/src/main/java/org/webeid/example/web/rest/SigningController.java
@@ -27,6 +27,7 @@
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.*;
+import org.webeid.example.security.WebEidAuthentication;
 import org.webeid.example.service.SigningService;
 import org.webeid.example.service.dto.CertificateDTO;
 import org.webeid.example.service.dto.DigestDTO;
@@ -48,8 +49,8 @@ public SigningController(SigningService signingService) {
     }
 
     @PostMapping("prepare")
-    public DigestDTO prepare(@RequestBody CertificateDTO data) throws CertificateException, NoSuchAlgorithmException, IOException {
-        return signingService.prepareContainer(data);
+    public DigestDTO prepare(@RequestBody CertificateDTO data, WebEidAuthentication authentication) throws CertificateException, NoSuchAlgorithmException, IOException {
+        return signingService.prepareContainer(data, authentication);
     }
 
     @PostMapping("sign")
diff --git a/example/src/test/java/org/webeid/example/WebApplicationTest.java b/example/src/test/java/org/webeid/example/WebApplicationTest.java
index 55838d8..499558c 100644
--- a/example/src/test/java/org/webeid/example/WebApplicationTest.java
+++ b/example/src/test/java/org/webeid/example/WebApplicationTest.java
@@ -112,7 +112,7 @@ public void validateOcspResponse(XadesSignature xadesSignature) {
         mvcBuilder.build().perform(get("/auth/challenge"));
 
         MockHttpServletResponse response = HttpHelper.login(mvcBuilder, session, ObjectMother.mockAuthToken());
-        assertEquals("{\"sub\":\"JAAK-KRISTJAN JÕEORG, PNOEE-38001085718\",\"auth\":[\"ROLE_USER\"]}", response.getContentAsString());
+        assertEquals("{\"sub\":\"JAAK-KRISTJAN JÕEORG\",\"auth\":[\"ROLE_USER\"]}", response.getContentAsString());
 
         /* Example how to test file upload.
         response = HttpHelper.upload(mvcBuilder, session, ObjectMother.mockMultipartFile());
diff --git a/example/src/test/resources/signout.p12 b/example/src/test/resources/signout.p12
index c3454bc6ad75577b1eb2a898a12314f4278739fd..3fd499be5f210e1b691bfd189db564e0049eacc8 100644
GIT binary patch
literal 2890
zcmY+EXE+-Q7snG4F=~_;wH0kp1QnyDN*g5htd$nEM~s?vix{P9&ng;QV^%0ywbiPc
zFIsyxW@u5lDc;`adEa}V`{6w2d4B(M&WH2i2gflXX@InF920<!K{8e+_9rtC0>tAO
z4?sA^T{w<$6OIF8{uO}@K{zn_H`e}LT69eR+q%FAq`~7rf5LH~V>pbC@&EYuab6HK
z>d`xDd$n}pC6fLkpE%d2X~wpTG&CRp2nXudH3+7!2+Uqdk+roqY&Eo(5(C2p52r#W
zUGA(WE>Ons=k6Jf26Fm`ZS8`?#a~dxVni=N5VsB!`jj>(;qa(IXd$|##s}M_3L~8F
zpeUA_L9>>et4D2j2b2_=Xxcwc2TbH8^|dARe+hqXhzK~am3k|pqSPzP3GazH3}mWh
zT8QD!b`lr)ib-s_0KfRfpR_OF`)T-Mu6i2JsK&EOiHXA+oK|b~l6f=0LMk=O$&c&%
zTE}9MK!UCA;yuLu9!%RGiu7PrNzj@WyM!6FXivKxZAp&#%mj2D{WU8n`WPa{ICZLC
z@i1+i3{2>rgzyKJ`$X6Yym2?fuM7xiXVk@^`giZ&`Z)EUwB|2t6^_m<w%J3sPwZgb
zvX=gZtQ_r{Zxdx%*DR0F49kXO7gOxkfVxV?%d6wTiH(Py_oj`OUj&O=j^83~oU%CT
zdPZUn8YPbQx8C@CxvKM_RWWfuuxw&4mPtshFh1kd3&9}GS$5=jtZamZsiBb&E$>d+
z_5kENtTc)LX|m&u!v5Z+Y%7t|5?d4D7!wgQCEb;eibKh-i4s#ke?K=2&6fO$G8B+`
z9&7pV1<(mh@g~f_5<mBlUOY)~f|?K*eWek}%&bRcrK?*gY`f@Vul&()8%P7cs^uxh
zSw8`x%mZFCgJdaVTqUkwdFT8{?OHU_Z<dus*l$8+8Wq=PezF_*Vp!J)nzW(Cv6?n}
z@-e+I^z`dED8d784l&#$J^X4QBR1Q$dL9zYEEp+Wm8LGC5fyo-X{x@pe6d;M9xmoH
zYk0eXZ-Q$rm{f&}Ge65uEhuO2uX;9!z4GCM{H7yxy}Mudh&&^)qt}&`<)mm?+;m?h
zY31jrcgHwpX}-tN9<+J=ssZi(G9&G!HScR(;LF(^jCKu>^M^l5x`EdAHP1eAX?E2p
zhwQKavX}6;hV|0BxkwPB*hdeaQxnZoWjO!LfekV{Rt834mW*rXk}q+HmAzjY>vMdv
zr+RXxDQ>y@6xGyAn4aU5&);gJkGyxUB;1c@&N~f?x(XG?Um>8S)))j^1tKvD3gPyA
zHN5JDcjVLaZdE-}!?QWm=sOi%?il<bsXGUFUkp10Tw0i9se60ZWHK>e6zL(qkf+UJ
zdb6&wWrAACVTcwp$<z4sqsrdl_@-*F4JjOWS9urt)vr~5EQCIDPxw`4B9GaD!7{Z`
zx6o<Zv3*tb<z#KO>wNi7|JEE4HMQsVY^ygM8;E&f_>Vug@o}Q_PYSo0?8~+6&&L7J
za$f|zH{)cEeS7p~uv9a0uRV(uE0u#FT0Nn%qx4*Uea|*)1&`4iSFePN$esWtePkqy
zBP=rAB&)Z)P2Rzn$uO!hkI?ysil37=TsUGIJ}wP-=1TA=(PBx!hf3M5Jg#Bh64^LY
zSQ|1%(|9mYC&gU2p72R`#yH*Y6IYA*B|v%F>^HpcG`H}5GMHRF;l6t#=;l?)f=FxI
z<3dcp_-KyV34&Y4C6wiss?h>lXA2r~y#%mhTmRsrIZzJAv}#k`A*~z#4#vK0brs<2
z#Xk4!d9H%sTTr*AvmU4TDwc<r9OBn^$R4f#T+P{qt`CI`K_SX^QG`oF$te>;TQc&q
zaVK&J_{G0X$pDoD3DN-M;3EGZPB|!u-OSC)Nmvdck5H0RQB+Y<R8;z{(Wt+NAar;f
z_|b3VLjwf-Zf^f1z<+6#?k}y@ZgMS1L^?7&@5=nfi|Z(hFKf^IOREt$Fx=ttN%($-
zr_vlKfYKq;a;E3E8B%UnkPzu_(CQWY{lMy_8(Q*kcG<u}Q=b2Q*0vQt9ro#9CDr-Q
zZx4K4V?ab@)~TKVo}z1M+bpN3WNf!*ux88M0Q>b#y8R~mg)W^OuYQYjgU$_Rw}h0c
zCW~LtCbso<0Ofe(L9FQB4U*=IC0AFm*-Rhi_-u!*wzw~08M4Ls6t#X9gNy#n0=gRL
zd-9Fai`PGdjpqAq5B4@soWr<;@ARcsx|qD&$ZiVO3$5sv@upJEMy#Jl((j)m_OiJ{
zl2gh|sVSF&lb-0Ox(LxJ#R|^_l`1!P_Z8`>CFWWKH9wz3p)p6A1ScCZW}0YiSNfxK
z4U2?`QoR;inhF9AYxsgm*A}27UYMPgAC0dOMOaEiAR#qn{ASu5Pg8@3{Wttl_8J6R
z-cVHJ&fBorK23Kl1c@Fok-I`Cdk4lS?89)H)a-LJ_hFfw^2T=ksQtKzLo<Qcj4b8e
z<x6=?lRKj(mvsZkq*njoZn$A+ETW+zqXd2?E5ZUZK4%pJ6NJKdv${UfoAj?}jYSDH
z#3GBPKwr^(Ry8HnNM`qSO-JjVhY?$n57y0OPN2l`R|xMd@km}qIrBPwr!)nxoETHx
z{)OnrN_axpNIVJ~?<Dgk#Ypf;EqPGic$m9-joueJz?IcDlM@CwBaKS}sJ?YZaf=sP
zJ?P?%HzI@ydJN{JBy_*$ye+rMqw#3|ipaFiC&z)8?~?V8wEmEK{9PkG+<vm3I1@F6
zRK^NBI0njd>W>=0Od#Y9wxkqJ_R$p@_jhlPBpb`}+Ns7XNb=mLR9S&KngQ;mr>nA*
zW1$E2L0wx-MOoi&KTDSP5aaGQcp_B=bF|ViPS{pg$tP)?&<qKCu4L$Vk2DvnOleGr
z&iFYvd)TZzVB$6MYYcLygHadqq>1v`b#YePc9a5)J`5@CX=vWIxY+BtMyc@L5XM`k
zyK0`P4Sx&^{(KfmmpVNPRzQkVD7UuceuiIS>EnAvA6RylUQMO<PVJJD>`iEY$`L%E
zp<O-0XWnSxn(i{#(?V9uCFv8pR7W7l+kG}2FuRe=>m_4U&r<nNThWg6t)`T#qa$4l
zSnNxO19j`2blpLL76?{%n4NV41F!HW_Rjf5wJ38zy?ugwubX4vf2Fngo)7)Xz1O82
zzau(&VZK$HT+YT-fUGaITuwP%NZ(+*E-OpfsGX|g(Qd8CxF6Tz#yBuGe((~n8!$aT
z4J0+paG_h1?<&wZ|2cnbJ!oVyD%smGaDdEs7Qct2k2=fm?3sen9epFNKfKmgD(_Jm
zWE<|;=(<vG)QMsUl=5UPzN^6<O!C2H)n+<WamAkQDc+x{ENsGeggByzrYSC_a?Y7@
zq=^?NKWbQY@_f8_XKtc~J^t`5;ITHW>@nXFI1+v|v>d43I{%+mdn55{ir07_cb_KK
zN!31GkGp(@OCpEg6x3M?6&@j=FvsR@9OAEq5reB$m13sevO5P>ilk2$(yVzQy1Ka7
zWki>5)x`%xQUsosMD`sit?&3y*<wPp9Rrsrd+le7bNnOG=rF#Ocr-a$Glt@BOIdP&
zc19~%tQx8}qG8C9esZ26N&d{r&MrY}7QrV`W&|jwg(TL*(w~n#zE=py9n#}(<+FL$
z1fQ7HzK+U$QS8(6rZU$ghh%!|p*|jWJ6gValOwE*08TKv9Rq{ZFOnk~NGerfQndjm
z7H&x#7g9C1#B3t6LdmtJa5cCHoPiE3#X?KN3kHCoW*xwrGf5UZu9iQ18p2M2GU6+@
dLC{^-G@?NKCa<P3;X{GHY{l2GBJ^L%{Vzs>T2cT2

literal 3061
zcmV<R3kviwf(!8i0Ru3C3%3RdDuzgg_YDCD0ic2ls04xwq%eXDpfG|4R|W|xhDe6@
z4FLxRpn?WSFoFg|0s#Opf(AVX2`Yw2hW8Bt2LUh~1_~;MNQU<f0So~KFb)I=x&#@f
zZB%>U0s;sCfPw}PqM(J;*JmD>Je0p4NKD!Mb=w4{LB);vco=SMbbA}jABSd+*$VgI
z`D~KJn{2nvDQW$|f&opF<;JUh<;rI?n}bCRv`x*sjGroQfk8~481tt$ZXm?5twx&I
z??;27RhNi*&+8P$$2ONfRyJTAJaxA`8TZ6=0*o)t6GU~@XtGJJ!5gTxFyo_exg){4
zgiw1fhaukah`G{ir@48cCGxU{Ss06<QR9=H9NtuihwYyo?rgcF3;ii30LQTC#Md9C
z!5g<R@mAoTgq0IEeq)!$e!8?*;jt!L4YTP$!nXi+cfPcaq`kSzJxCrL<p`F-`MZGs
zd_G9~L>xpWSgq=dy;C>ekKpgbH=@HkL}y`7e4loA{XeL`!)z>gic+6{Uw7iO74Z&C
z^WG&nDA7Fmoma*$I+(|w<TY_jPRAHkIpOI~9USB3;}`N3Ud}&nnTZPDMFU2$Q^!6j
zMqyga%*)Mw1R$5*=4yPL*Fn}}7LV``MB3rqym4Lxdv1s9T`Ux#Xf8><O=^tY<#YSq
zzd{e|b(agSNq5A!s$4T(90nCz#Q@_u$4<Zn!Qrj&CSwV9MhAptBlpkW*|bNJOgkDm
zUt<#tq~uN%IwZk-$`5D(Cx5MH?UK*mb%pqow$bd6ew<)xI`9^Q0r}uN9aw9-Z>UQy
zCxWzkjQti|0~kGoHrf|%h>F2El564%>t`|_3wt5>$sJu|AcWmP*}&;GR#PuB*`j7V
zIzja*n2b%VY?0Yt#T+%s4;J)%A}vNM4yHv+kY-gQ$(>DhT(M`xEG{n?+M61{bt*Sn
zri*$+Tv{a2goT6d6i$2S18?ktQ7f2s;t|8`e*Z0D14!RoA-*hhCN6WktdxMvv`EsF
zAO*)q^@5`q226y@na6D9_z)t<$oimKP(3pbo2NnB@5fuxgmLA(J_CY#0F+m&EZTO%
z*2~S>fy$IJkysayz3wJWv><tF1;usyH+NNiByN3T0-vJg1dY@nx=Yv{UwM`Zw>USJ
zlRR0H4zfnl<4TnBV?8^5j$Z`HkDz;d*J-=>aVP4`C=ipwJqG~;-wzmXu*y7;qB62V
z7wIqPeO((b-WM;Os_r)W;*%JR6sUPm#pgOT-j<V#qStBP=z<XmR6AUyO{suRQhPwK
z?B?SAuxp#XRf%P^TCye~E)DD33u%`ZySog_WxkS(79IMu1v8<zepam9$|zM~og2<D
z5;>~{JJH`tLFrWY(r_FFvxk=7hLeYjeLVt2TtpsaR&YG28=g^0uCy984dxpHwK!A|
zDW#ff(-$Gi=T&2kH8xKAL7U|#lIq*YFI+Y%j59D2+kL)F-aNyHybgHM2{oo&qtv3V
zqBa`xv|%A+*U~B~)Dx9*Ul<8?;Xpwal-yv@Ga!rRPaIU78Nuvq)&d2&Trd95q6zF0
zeNHs3r;+UuWaWb|onc~R`Lk|vRgj#x;-wh^fhDZjfE$542@IBHUfs#?7_z=r`hl~7
zIPGOO7dyGqZd;Z&fou<?DnV)3=+PbX>-jdN90*N{U#^Pd(XkQvj-T{Fzl8sZGz+G*
z&L$q|38}9P#e7z!!BM=My=HvQ(4CUAah*`$q!+VICZVcvG*vsTlBM{s9Rk>vs(%|-
zPN*BaD339D25ZI~#gF$F!%{_gboa40s)_MMC*+VnsJG==X|zT4=2`#~o#s?qs_9~9
zgRrtgN|5-Ni@5AteGyvl4Ct9xtAny_m-gTk)H%+fs8k16-g`poS5$Pwf9WIrC_*U|
zepHA}-iVhP$A!Qo>+F0x>8nLSUB}6Jh>quTeM76`l~#7_>{x>PU22-8?VBL8mI8=p
z`a?fb9a5KsIhrB~`E4;VlVJs=T|$=H1hjK2<Vz8sjcGh{pxNpJhuCG1GDL+bn8@QV
zKEPX{)sqOI#6QDFqgOOR+oO>m&N&;}Oa>jvusym@Qn8{)-N5bpoRcphl|@0fdX<w4
zw8Fb1pAbJ4UgIje*I1g*6T2FN!o<83ul&nTnqPZU$?kJQd2c5&)Y5Z5WRb$@kR!+P
zn<pXFFoFd^1_>&LNQU<f0S5t~f(0@Jf(0%xf(0rtf(0f93o3?4hW8Bt3<?1Ppn?SM
zFoFc?FdPO7Duzgg_YDCI0Ru1&1PC==wz9CL^V<Rf2ml0v1jyjCg>%yP)?7>=6)%#4
z9b7AushQyH)<LBfdmNh!?l)@#w}L`ymR3Sc#=VjfhmvTHjMSbJeZ$|%VzLf6R$oq$
zu-ZwH$iwekI&6V$Iq-)m9BYYfz{t0c(a~&`{@+X7O#6K4Au&O%*pQ%qv2cA75MVht
z>vQ}-!M@UzgJ&acco_X)*h;c0?(*Mxui#x;_t59Kz%sZAt}!0mGmxQ_y$#v!_A{V>
zUJhm%)nubHA4eH_LzoCD>`RVurFx|7V0E08q5WPULI0WEBlE-k@wtCbHYNmFLwSIo
zHi>xKm7Q<0P@;onh21dM4e|Q!QJ+IREUVR*xPBiZlNS4-Mj2bimERtAVNY=tRtD7K
z=pW*}d94^3<0JB}JoD>=Us~c|^n0jSOv(2m{}NpkC;G-@RvYd+)k-17AB)pUx%A)o
z9!XE5Hr6>7{e=y@B6;OACMA%q1ybcFY=A?{iQ1eJMi`Y3Y<8ahtc&$XTuX))3bPkE
z0`x7P_X-2ty0Rt|!9`KK7Tj-~`~}_)h!)yXuhj;fk>W-u7$@}Reujz0Z`(*>9-S9g
zK{j%8kNs~8{HtT{U9y@jZi9?aO;$z3f)wkuibAWU42P!+=Hx1M)iudKig-o#Q)*lZ
z!Tx0gUs!68SD8^EqYNFjK?d8zAhxpdl5K0dBySU~Sl7YyNkG56L7G<G1^8Ak7%TSA
zKXL4%llD8Aq&D{4b-+=hQs9=q3wk<Lbg*u#3@6q0IR+fhhWi2ogb7q-;6(vHV>TJe
zwiKe<9K2|T7zFHm|Dsh46z9?vB56F1y*Xj~X3-T!I2-u_1fP!GtfSbKsJ*yk9naPD
zdeEEsR6^2F7Tf$qC~c84GOFFeL(c%Jry*H9jf9V=T9RSMBT;d>KQ{56-y}<<n2R|y
zz_K{ojtiXJ_vjxjT>oc(5EGaFA`U4Wt34ePhGz>It(aT2XwAAq9k;)uW~?foZa7@!
z(2BDq<6p%t;UycYSYj)=VbB_x%JF8&7zZ=qvm;KHI>1|>23Qqbj+}MZ&{IftkLR6B
zgYf$?Ik%LY^a{BcSbG=me0ad6fQ_O(+Ht-FlM~0dwf4zW2A2B8+(_tA7_Fm>gL^pc
z(1E2~<+}>Iiwh=S^$qF+2(5PkYw5<}Q+|sIH%-_BxbV+?C*l!_!kaT1%lbKtOsY<N
zJ5kz;9lXFz58CW=&3sn2SbAPR%6}g)eumMVc=<_Y$k_edvehi7WKNWT<;73#$@q;S
z!)xbj>>vxPdnR0{<|h>TV}X%>maczTXduHwB=4XI9ON$<(Sfw;tt7FX0ulBf$O#RM
z0}??r1sQ<I^rD1N?cL)7#A5^sn&wiZIu_pYZP(It-GCM01jtc6pzqyfq9cBFMT}A-
zf>yeoY;+b4k2EJ+o>!s)^#Ke$DkzjJj}zUICqyE7&zFv0)(l`zJb~O;f=`?q7q_XG
zy;Ezm6H~X+JS8-EE`PyA9$EG37?<W?5z24{vg21nv$=ORhU*v<pkRKZc}DrMERN6^
z4Nz_MIW=J(R#v%ji=5-PP2u^EgzC9o`+M%keRY+nJMZr-dJ26|0s(91+fdljl8fB1
zB$Hw({yfaZS&KS69y2i|Fe3&DDuzgg_YDCF6)_eB6dVC9Ut!VMO`1iXZ%EV5pGduA
zfiN*JAutIB1uG5%0vZJX1QgAAe)XVo9v(h&*1s2I;=sflLXrds#pC`>MoE$c0s;sC
DF8QKu


From 1659862b1029aa73b522b58f8b30530f1ec4969a Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Fri, 23 Jul 2021 22:29:20 +0300
Subject: [PATCH 038/116] deps(web-eid-authtoken-validation-java): update to
 v1.1.0, use ZonedDateTime

Refs WE2-458

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 example/pom.xml                               |  2 +-
 .../config/SameSiteCookieConfiguration.java   | 22 +++++++++++++++++++
 .../config/ValidationConfiguration.java       | 14 ++++++------
 .../AuthTokenDTOAuthenticationProvider.java   |  3 +--
 .../security/WebEidAuthentication.java        | 22 +++++++++++++++++++
 .../example/service/SigningService.java       |  2 +-
 .../example/web/rest/ChallengeController.java |  2 --
 .../example/web/rest/SigningController.java   |  2 +-
 .../webeid/example/WebApplicationTest.java    |  9 ++++----
 9 files changed, 60 insertions(+), 18 deletions(-)

diff --git a/example/pom.xml b/example/pom.xml
index 1684073..4a44fee 100644
--- a/example/pom.xml
+++ b/example/pom.xml
@@ -20,7 +20,7 @@
 		<java.version>1.8</java.version>
 		<maven-surefire-plugin.version>2.22.1</maven-surefire-plugin.version>
 		<caffeine.version>2.8.5</caffeine.version>
-		<webeid.version>1.0.2</webeid.version>
+		<webeid.version>1.1.0</webeid.version>
 		<jmockit.version>1.44</jmockit.version>
 	</properties>
 
diff --git a/example/src/main/java/org/webeid/example/config/SameSiteCookieConfiguration.java b/example/src/main/java/org/webeid/example/config/SameSiteCookieConfiguration.java
index 2183a9f..f735424 100644
--- a/example/src/main/java/org/webeid/example/config/SameSiteCookieConfiguration.java
+++ b/example/src/main/java/org/webeid/example/config/SameSiteCookieConfiguration.java
@@ -1,3 +1,25 @@
+/*
+ * Copyright (c) 2021 The Web eID Project
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
 package org.webeid.example.config;
 
 import org.apache.tomcat.util.http.Rfc6265CookieProcessor;
diff --git a/example/src/main/java/org/webeid/example/config/ValidationConfiguration.java b/example/src/main/java/org/webeid/example/config/ValidationConfiguration.java
index c52854a..eb79607 100644
--- a/example/src/main/java/org/webeid/example/config/ValidationConfiguration.java
+++ b/example/src/main/java/org/webeid/example/config/ValidationConfiguration.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) 2020, 2021 The Web eID Project
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
@@ -49,7 +49,7 @@
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
-import java.time.LocalDateTime;
+import java.time.ZonedDateTime;
 import java.util.ArrayList;
 import java.util.Enumeration;
 import java.util.List;
@@ -69,9 +69,9 @@ public CacheManager cacheManager() {
     }
 
     @Bean
-    public Cache<String, LocalDateTime> nonceCache() {
+    public Cache<String, ZonedDateTime> nonceCache() {
         final CacheManager cacheManager = cacheManager();
-        Cache<String, LocalDateTime> cache = cacheManager.getCache(CACHE_NAME);
+        Cache<String, ZonedDateTime> cache = cacheManager.getCache(CACHE_NAME);
 
         if (cache == null) {
             cache = createNonceCache(cacheManager);
@@ -149,9 +149,9 @@ public YAMLConfig yamlConfig() {
         return new YAMLConfig();
     }
 
-    private Cache<String, LocalDateTime> createNonceCache(CacheManager cacheManager) {
-        CompleteConfiguration<String, LocalDateTime> cacheConfig = new MutableConfiguration<String, LocalDateTime>()
-                .setTypes(String.class, LocalDateTime.class)
+    private Cache<String, ZonedDateTime> createNonceCache(CacheManager cacheManager) {
+        CompleteConfiguration<String, ZonedDateTime> cacheConfig = new MutableConfiguration<String, ZonedDateTime>()
+                .setTypes(String.class, ZonedDateTime.class)
                 .setExpiryPolicyFactory(factoryOf(new CreatedExpiryPolicy(
                         new Duration(TimeUnit.MINUTES, NONCE_TTL_MINUTES + 1))));
         return cacheManager.createCache(CACHE_NAME, cacheConfig);
diff --git a/example/src/main/java/org/webeid/example/security/AuthTokenDTOAuthenticationProvider.java b/example/src/main/java/org/webeid/example/security/AuthTokenDTOAuthenticationProvider.java
index 1f27338..db63854 100644
--- a/example/src/main/java/org/webeid/example/security/AuthTokenDTOAuthenticationProvider.java
+++ b/example/src/main/java/org/webeid/example/security/AuthTokenDTOAuthenticationProvider.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) 2020, 2021 The Web eID Project
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
@@ -35,7 +35,6 @@
 import org.springframework.stereotype.Component;
 import org.webeid.example.security.dto.AuthTokenDTO;
 import org.webeid.security.exceptions.TokenValidationException;
-import org.webeid.security.util.CertUtil;
 import org.webeid.security.validator.AuthTokenValidator;
 
 import java.security.cert.CertificateEncodingException;
diff --git a/example/src/main/java/org/webeid/example/security/WebEidAuthentication.java b/example/src/main/java/org/webeid/example/security/WebEidAuthentication.java
index f935aab..6c5ec3c 100644
--- a/example/src/main/java/org/webeid/example/security/WebEidAuthentication.java
+++ b/example/src/main/java/org/webeid/example/security/WebEidAuthentication.java
@@ -1,3 +1,25 @@
+/*
+ * Copyright (c) 2021 The Web eID Project
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
 package org.webeid.example.security;
 
 import org.springframework.security.core.Authentication;
diff --git a/example/src/main/java/org/webeid/example/service/SigningService.java b/example/src/main/java/org/webeid/example/service/SigningService.java
index 43eddde..ed90ad1 100644
--- a/example/src/main/java/org/webeid/example/service/SigningService.java
+++ b/example/src/main/java/org/webeid/example/service/SigningService.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) 2020, 2021 The Web eID Project
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/org/webeid/example/web/rest/ChallengeController.java b/example/src/main/java/org/webeid/example/web/rest/ChallengeController.java
index 602a11d..677539b 100644
--- a/example/src/main/java/org/webeid/example/web/rest/ChallengeController.java
+++ b/example/src/main/java/org/webeid/example/web/rest/ChallengeController.java
@@ -22,8 +22,6 @@
 
 package org.webeid.example.web.rest;
 
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
diff --git a/example/src/main/java/org/webeid/example/web/rest/SigningController.java b/example/src/main/java/org/webeid/example/web/rest/SigningController.java
index 652105c..65030b7 100644
--- a/example/src/main/java/org/webeid/example/web/rest/SigningController.java
+++ b/example/src/main/java/org/webeid/example/web/rest/SigningController.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) 2020, 2021 The Web eID Project
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/test/java/org/webeid/example/WebApplicationTest.java b/example/src/test/java/org/webeid/example/WebApplicationTest.java
index 499558c..da36307 100644
--- a/example/src/test/java/org/webeid/example/WebApplicationTest.java
+++ b/example/src/test/java/org/webeid/example/WebApplicationTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) 2020, 2021 The Web eID Project
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
@@ -41,11 +41,12 @@
 import org.webeid.example.testutil.Dates;
 import org.webeid.example.testutil.HttpHelper;
 import org.webeid.example.testutil.ObjectMother;
+import org.webeid.security.util.UtcDateTime;
 import org.webeid.security.validator.AuthTokenValidatorData;
 import org.webeid.security.validator.validators.SubjectCertificateNotRevokedValidator;
 
 import javax.cache.Cache;
-import java.time.LocalDateTime;
+import java.time.ZonedDateTime;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
@@ -55,7 +56,7 @@
 public class WebApplicationTest {
 
     @Autowired
-    Cache<String, LocalDateTime> cache;
+    Cache<String, ZonedDateTime> cache;
 
     @Autowired
     private WebApplicationContext context;
@@ -102,7 +103,7 @@ public void validateOcspResponse(XadesSignature xadesSignature) {
             }
         };
 
-        cache.put(TEST_NONCE, LocalDateTime.now().plusMinutes(5));
+        cache.put(TEST_NONCE, UtcDateTime.now().plusMinutes(5));
 
         final MockHttpSession session = new MockHttpSession();
 

From 85f66f8ee198eb07c7ea497785dc3d75a34551ab Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Tue, 27 Jul 2021 13:46:59 +0300
Subject: [PATCH 039/116] release(html): web-eid release v1.0.0

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 .../js/{web-eid-0.9.0.js => web-eid-1.0.0.js} | 15 +++++++--
 .../src/main/resources/templates/index.html   | 32 +++++--------------
 .../welcome-with-file-upload-support.html     |  2 +-
 .../src/main/resources/templates/welcome.html |  2 +-
 4 files changed, 22 insertions(+), 29 deletions(-)
 rename example/src/main/resources/static/js/{web-eid-0.9.0.js => web-eid-1.0.0.js} (97%)

diff --git a/example/src/main/resources/static/js/web-eid-0.9.0.js b/example/src/main/resources/static/js/web-eid-1.0.0.js
similarity index 97%
rename from example/src/main/resources/static/js/web-eid-0.9.0.js
rename to example/src/main/resources/static/js/web-eid-1.0.0.js
index b5b7419..3a017bb 100644
--- a/example/src/main/resources/static/js/web-eid-0.9.0.js
+++ b/example/src/main/resources/static/js/web-eid-1.0.0.js
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
@@ -19,9 +19,8 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  * SOFTWARE.
  */
-
 var config = Object.freeze({
-    VERSION: "0.9.0",
+    VERSION: "1.0.0",
     EXTENSION_HANDSHAKE_TIMEOUT: 1000,
     NATIVE_APP_HANDSHAKE_TIMEOUT: 5 * 1000,
     DEFAULT_USER_INTERACTION_TIMEOUT: 2 * 60 * 1000,
@@ -51,6 +50,7 @@ var ErrorCode;
     // Third party errors
     ErrorCode["ERR_WEBEID_SERVER_REJECTED"] = "ERR_WEBEID_SERVER_REJECTED";
     ErrorCode["ERR_WEBEID_USER_CANCELLED"] = "ERR_WEBEID_USER_CANCELLED";
+    ErrorCode["ERR_WEBEID_NATIVE_INVALID_ARGUMENT"] = "ERR_WEBEID_NATIVE_INVALID_ARGUMENT";
     ErrorCode["ERR_WEBEID_NATIVE_FATAL"] = "ERR_WEBEID_NATIVE_FATAL";
     // Developer mistakes
     ErrorCode["ERR_WEBEID_ACTION_PENDING"] = "ERR_WEBEID_ACTION_PENDING";
@@ -116,6 +116,14 @@ class ActionPendingError extends Error {
     }
 }
 
+class NativeInvalidArgumentError extends Error {
+    constructor(message = "native application received an invalid argument") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_NATIVE_INVALID_ARGUMENT;
+    }
+}
+
 class NativeFatalError extends Error {
     constructor(message = "native application terminated with a fatal error") {
         super(message);
@@ -257,6 +265,7 @@ const errorCodeToErrorClass = {
     [ErrorCode$1.ERR_WEBEID_ORIGIN_MISMATCH]: OriginMismatchError,
     [ErrorCode$1.ERR_WEBEID_CONTEXT_INSECURE]: ContextInsecureError,
     [ErrorCode$1.ERR_WEBEID_EXTENSION_UNAVAILABLE]: ExtensionUnavailableError,
+    [ErrorCode$1.ERR_WEBEID_NATIVE_INVALID_ARGUMENT]: NativeInvalidArgumentError,
     [ErrorCode$1.ERR_WEBEID_NATIVE_FATAL]: NativeFatalError,
     [ErrorCode$1.ERR_WEBEID_NATIVE_UNAVAILABLE]: NativeUnavailableError,
     [ErrorCode$1.ERR_WEBEID_PROTOCOL_INSECURE]: ProtocolInsecureError,
diff --git a/example/src/main/resources/templates/index.html b/example/src/main/resources/templates/index.html
index 9be1e83..b471103 100644
--- a/example/src/main/resources/templates/index.html
+++ b/example/src/main/resources/templates/index.html
@@ -46,37 +46,22 @@ <h4>Table of contents</h4>
             <hr/>
             <h3><a id="usage"></a>Usage</h3>
             <p>
-                Instructions for installing and testing version 1.0.0-rc2 in Firefox, Chrome, Edge or Safari:
+                Instructions for installing and testing version 1.0.0 in Firefox, Chrome, Edge or Safari:
             </p>
             <ol>
                 <li>
                     Download and run the Web eID native app and browser extension installer:
                     <ul>
                         <li>on <b>Ubuntu Linux</b> 20.04, for Firefox and Chrome from <a
-                                href="https://github.com/web-eid/web-eid-app/releases/download/1.0.0-rc2/web-eid_1.0.0.511_amd64.deb">here</a>,
+                                href="https://installer.id.ee/media/web-eid/web-eid_1.0.0.521-2004_amd64.deb">here</a>,
                             install it with either the Ubuntu Software Center or from the console with<br>
-                            <code>sudo apt install ./web-eid_1.0.0.511_amd64.deb</code>
+                            <code>sudo apt install ./web-eid_[version].deb</code>
                         </li>
-                        <li>on <b>macOS</b> 10.15 or later,
-                            <ul>
-                                <li>
-                                    for Firefox from <a
-                                        href="https://github.com/web-eid/web-eid-app/releases/download/1.0.0-rc2/web-eid-firefox_1.0.0.511.pkg">here</a>,
-                                </li>
-                                <li>
-                                    for Chrome from <a
-                                        href="https://github.com/web-eid/web-eid-app/releases/download/1.0.0-rc2/web-eid-chrome_1.0.0.511.pkg">here</a>;
-                                </li>
-                                <li>
-                                    Safari extension is also available from <a
-                                        href="https://github.com/web-eid/web-eid-app/releases/download/1.0.0-rc2/web-eid-safari_1.0.0.511.pkg">here</a>,
-                                    but it is not yet signed, so it is not currently possible to enable it; a signed
-                                    release will be available shortly.
-                                </li>
-                            </ul>
+                        <li>on <b>macOS</b> 10.15 or later, for Firefox, Chrome and Safari from <a
+                                href="https://installer.id.ee/media/web-eid/web-eid_1.0.0.525.dmg">here</a>,
                         </li>
                         <li>on <b>Windows</b> 10 (64-bit), for Firefox, Chrome and Edge from <a
-                                href="https://github.com/web-eid/web-eid-app/releases/download/1.0.0-rc2/web-eid_1.0.0.511.x64.qt.msi">here</a>.
+                                href="https://installer.id.ee/media/web-eid/web-eid_1.0.0.527.exe">here</a>.
                         </li>
                     </ul>
                 </li>
@@ -84,8 +69,7 @@ <h3><a id="usage"></a>Usage</h3>
                     The installer will install the browser extension for all supported browsers automatically.
                     The extension must be manually enabled from either the extension installation pop-up that appears in
                     the browser or from the browser extensions management page and may need browser restart under
-                    certain
-                    circumstances.
+                    certain circumstances.
                 </li>
                 <li>
                     Attach a smart card reader to the computer and insert the eID card into the reader.
@@ -215,7 +199,7 @@ <h3><a id="for-developers"></a>For developers</h3>
 
 <script type="module">
     "use strict";
-    import * as webeid from "/js/web-eid-0.9.0.js";
+    import * as webeid from "/js/web-eid-1.0.0.js";
     import {hideErrorMessage, showErrorMessage} from "/js/error-message.js";
 
     hideErrorMessage();
diff --git a/example/src/main/resources/templates/welcome-with-file-upload-support.html b/example/src/main/resources/templates/welcome-with-file-upload-support.html
index 7b14aa3..9920e7b 100644
--- a/example/src/main/resources/templates/welcome-with-file-upload-support.html
+++ b/example/src/main/resources/templates/welcome-with-file-upload-support.html
@@ -37,7 +37,7 @@ <h2 class="adding-signature">Sign a document</h2>
 
         <script type="module">
             "use strict";
-            import * as webeid from "/js/web-eid-0.9.0.js";
+            import * as webeid from "/js/web-eid-1.0.0.js";
             import { hideErrorMessage, showErrorMessage } from "/js/error-message.js";
 
             const signButton = document.querySelector("#webeid-sign-button");
diff --git a/example/src/main/resources/templates/welcome.html b/example/src/main/resources/templates/welcome.html
index e2d8221..de28257 100644
--- a/example/src/main/resources/templates/welcome.html
+++ b/example/src/main/resources/templates/welcome.html
@@ -50,7 +50,7 @@ <h2 class="adding-signature">Digital signing</h2>
 
 <script type="module">
     "use strict";
-    import * as webeid from "/js/web-eid-0.9.0.js";
+    import * as webeid from "/js/web-eid-1.0.0.js";
     import {hideErrorMessage, showErrorMessage} from "/js/error-message.js";
 
     const signButton = document.querySelector("#webeid-sign-button");

From 7583afd6d1fe9dc9f0e8f9c2188110bd8e2a208f Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Thu, 29 Jul 2021 16:30:25 +0300
Subject: [PATCH 040/116] doc(html): Safari support is upcoming

---
 example/src/main/resources/templates/index.html | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/example/src/main/resources/templates/index.html b/example/src/main/resources/templates/index.html
index b471103..6991370 100644
--- a/example/src/main/resources/templates/index.html
+++ b/example/src/main/resources/templates/index.html
@@ -46,7 +46,8 @@ <h4>Table of contents</h4>
             <hr/>
             <h3><a id="usage"></a>Usage</h3>
             <p>
-                Instructions for installing and testing version 1.0.0 in Firefox, Chrome, Edge or Safari:
+                Instructions for installing and testing version 1.0.0 in Firefox, Chrome or Edge
+                (Safari support on macOS will also be available shortly):
             </p>
             <ol>
                 <li>
@@ -57,7 +58,7 @@ <h3><a id="usage"></a>Usage</h3>
                             install it with either the Ubuntu Software Center or from the console with<br>
                             <code>sudo apt install ./web-eid_[version].deb</code>
                         </li>
-                        <li>on <b>macOS</b> 10.15 or later, for Firefox, Chrome and Safari from <a
+                        <li>on <b>macOS</b> 10.15 or later, for Firefox and Chrome from <a
                                 href="https://installer.id.ee/media/web-eid/web-eid_1.0.0.525.dmg">here</a>,
                         </li>
                         <li>on <b>Windows</b> 10 (64-bit), for Firefox, Chrome and Edge from <a

From e9448256805ac994d8b868db887e4b9f78f6dd0d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mart=20S=C3=B5mermaa?= <mrts.pydev@gmail.com>
Date: Tue, 3 Aug 2021 07:40:00 +0300
Subject: [PATCH 041/116] doc(html): update macOS uninstallation instructions,
 log locations and mention .NET versions (#10)

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>

Co-authored-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 .../src/main/resources/templates/index.html   | 45 +++++++++++--------
 1 file changed, 27 insertions(+), 18 deletions(-)

diff --git a/example/src/main/resources/templates/index.html b/example/src/main/resources/templates/index.html
index 6991370..5592aae 100644
--- a/example/src/main/resources/templates/index.html
+++ b/example/src/main/resources/templates/index.html
@@ -91,28 +91,25 @@ <h3><a id="usage"></a>Usage</h3>
 
             <hr/>
             <h4>Uninstallation</h4>
+            <p>The uninstaller will remove the browser extension from all supported browsers automatically.</p>
 
             <h5>Ubuntu Linux</h5>
-            <p>Uninstall Web eID either using the Ubuntu Software Center or from the console with<br>
+            <p>Uninstall the Web eID software either using the Ubuntu Software Center or from the console with<br>
                 <code>sudo apt purge web-eid</code></p>
-            <p>The uninstaller will remove the browser extension from all supported browsers automatically.</p>
 
             <h5>macOS</h5>
-            <p>Uninstall Web eID with<br>
-                <code>sudo rm -rf /Applications/Utilities/web-eid.app \</code><br>
-                <code>&nbsp;&nbsp;/Library/Google/Chrome/NativeMessagingHosts/eu.webeid.json \</code><br>
-                <code>&nbsp;&nbsp;/Library/Application\ Support/Mozilla/NativeMessagingHosts/eu.webeid.json \</code><br>
-                <code>&nbsp;&nbsp;/Library/Application\ Support/Google/Chrome/External\
-                    Extensions/ncibgoaomkmdpilpocfeponihegamlic.json</code><br>
-                <code>PLIST=/Library/Preferences/org.mozilla.firefox.plist</code><br>
-                <code>sudo defaults write ${PLIST} ExtensionSettings \</code><br>
-                <code>&nbsp;&nbsp;-dict-add "'{e68418bc-f2b0-4459-a9ea-3e72b6751b07}'" "{ 'installation_mode' =
-                    'blocked'; }"</code>
-            </p>
+            <p>To uninstall the Web eID software, do the following:</p>
+            <ol>
+                <li>download the Web eID native app and browser extension installer as instructed above,</li>
+                <li>open the downloaded file,</li>
+                <li>open <i>Terminal</i>,</li>
+                <li>drag and drop <code>uninstall.sh</code> from the downloaded file to the <i>Terminal</i> window,</li>
+                <li>press <i>Enter</i> and <i>Y</i>,</li>
+                <li>enter your password.</li>
+            </ol>
 
             <h5>Windows</h5>
-            <p>Uninstall Web eID using <i>Add or remove programs</i>.</p>
-            <p>The uninstaller will remove the browser extension from all supported browsers automatically.</p>
+            <p>Uninstall the Web eID software using <i>Add or remove programs</i>.</p>
 
             <h4>Debugging and logs</h4>
             <ul>
@@ -129,8 +126,11 @@ <h4>Debugging and logs</h4>
                             <code>echo 'logging=true' > ~/.config/RIA/web-eid.conf</code>
                         </li>
                         <li>in macOS, run the following command in the console:<br>
-                            <code>defaults write eu.web-eid.web-eid logging true</code><br>
-                            <code>defaults write eu.web-eid.web-eid-safari logging true</code>
+                            <code>defaults write \</code><br>
+                            <code>&nbsp;&nbsp;"$HOME/Library/Containers/eu.web-eid.web-eid/Data/Library/Preferences/eu.web-eid.web-eid.plist"
+                                \</code><br>
+                            <code>&nbsp;&nbsp;logging true</code><!-- <br>
+                            <code>defaults write "$HOME/Library/Containers/eu.web-eid.web-eid-safari/Data/Library/Preferences/eu.web-eid.web-eid-safari.plist" true</code> -->
                         </li>
                         <li>in Windows, add the following registry key:<br>
                             <code>[HKEY_CURRENT_USER\SOFTWARE\RIA\web-eid]</code><br>
@@ -142,7 +142,12 @@ <h4>Debugging and logs</h4>
                     The native app logs are stored in
                     <ul>
                         <li><code>~/.local/share/RIA/web-eid/web-eid.log</code> in Linux</li>
-                        <li><code>~/Library/Application Support/RIA/web-eid/web-eid.log</code> in macOS</li>
+                        <li><code>~/Library/Containers/eu.web-eid.web-eid/Data/Library/Application\
+                            Support/RIA/web-eid/web-eid.log</code> in macOS
+                        </li>
+                        <!-- <li><code>~/Library/Containers/eu.web-eid.web-eid-safari/Data/Library/Application\
+                           Support/RIA/web-eid-safari/web-eid-safari.log</code> of Safari in macOS
+                        </li> -->
                         <li>
                             <code>C:/Users/&lt;USER&gt;/AppData/Local/RIA/web-eid/web-eid.log</code> in Windows.
                         </li>
@@ -167,6 +172,8 @@ <h3><a id="documentation"></a>Documentation</h3>
             <h3><a id="for-developers"></a>For developers</h3>
             <p>
                 Currently the Web eID back-end libraries are available for Java web applications.
+                The .NET/C# version is in the works, the development version is available
+                <a href="https://github.com/web-eid/web-eid-authtoken-validation-dotnet/">here</a>.
             </p>
             <p>
                 To implement authentication and digital signing with Web eID in a Java web application,
@@ -189,6 +196,8 @@ <h3><a id="for-developers"></a>For developers</h3>
                 The full source code of an example Spring Boot web application that uses Web eID for authentication
                 and digital signing is available
                 <a href="https://github.com/web-eid/web-eid-spring-boot-example">here</a>.
+                The .NET/C# version of the example will eventually be available
+                <a href="https://github.com/web-eid/web-eid-asp-dotnet-example">here</a>.
             </p>
         </div>
     </div>

From ddcd16988f7d73300e30c0b3dfeb3822c78cab08 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Thu, 5 Aug 2021 22:39:22 +0300
Subject: [PATCH 042/116] doc(README): rework documentation and trim
 configuration

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 example/README.md                             | 262 ++++++++++++------
 example/docker-compose.yml                    |   3 +
 example/mvnw                                  |   0
 example/pom.xml                               |  18 ++
 .../config/ValidationConfiguration.java       |  28 +-
 .../org/webeid/example/config/YAMLConfig.java |  12 +-
 .../src/main/resources/application-dev.yaml   |   4 +
 .../src/main/resources/application-prod.yaml  |   5 +
 example/src/main/resources/application.yaml   |  15 +-
 .../certs/dev}/TEST_of_ESTEID-SK_2015.cer     | Bin
 .../certs/dev}/TEST_of_ESTEID2018.cer         | Bin
 .../certs/{ => prod}/ESTEID-SK_2015.cer       | Bin
 .../resources/certs/{ => prod}/ESTEID2018.cer | Bin
 .../certs/{ => prod}/trusted_certificates.jks | Bin
 .../AuthenticationRestControllerTest.java     |  22 +-
 .../webeid/example/WebApplicationTest.java    |   2 +-
 example/src/test/resources/application.yaml   |  12 -
 17 files changed, 239 insertions(+), 144 deletions(-)
 mode change 100644 => 100755 example/mvnw
 create mode 100644 example/src/main/resources/application-dev.yaml
 create mode 100644 example/src/main/resources/application-prod.yaml
 rename example/src/{test/resources/certs => main/resources/certs/dev}/TEST_of_ESTEID-SK_2015.cer (100%)
 rename example/src/{test/resources/certs => main/resources/certs/dev}/TEST_of_ESTEID2018.cer (100%)
 rename example/src/main/resources/certs/{ => prod}/ESTEID-SK_2015.cer (100%)
 rename example/src/main/resources/certs/{ => prod}/ESTEID2018.cer (100%)
 rename example/src/main/resources/certs/{ => prod}/trusted_certificates.jks (100%)
 delete mode 100644 example/src/test/resources/application.yaml

diff --git a/example/README.md b/example/README.md
index d775432..ec6ae9e 100644
--- a/example/README.md
+++ b/example/README.md
@@ -5,7 +5,163 @@
 Example Spring Boot web application that uses Web eID for strong authentication
 and digital signing with electronic ID smart cards.
 
-More information about the Web eID project is available on the project [website](https://web-eid.eu/).
+More information about the Web eID project is available on the project [website](https://web-eid.eu/), which is served by this application.
+
+## Quickstart
+
+Complete the steps below to run the example application in order to test authentication and digital signing with Web eID.
+
+### 1. Setup HTTPS
+
+Web eID only works over a HTTPS connection with a trusted HTTPS certificate.
+You can either setup a reverse HTTPS proxy during development or, alternatively, configure
+HTTPS support directly in the bundled web server. HTTPS configuration is described in more detail in section _[HTTPS support](#https-support)_ below.
+
+You can use, for example, [_ngrok_](https://ngrok.com/) to get a reverse HTTPS proxy. Download _ngrok_ and run it in a terminal window by providing the protocol and Spring Boot application port arguments as follows:
+
+    ngrok http 8080
+
+### 2. Configure the origin URL
+
+One crucial step of Web eID authentication token validation algorithm is verifying that the _aud_ field of the token contains the site origin URL (the URL serving the web application) to protect against man-in-the-middle attacks. Hence the site origin URL must be configured in application settings.
+
+To configure the origin URL, copy and paste the HTTPS URL that _ngrok_ did output in step 1 into the `local-origin` field in the profile-specific settings file `src/main/resources/application-{dev,prod}.yaml` as follows:
+
+```yaml
+web-eid-auth-token:
+    validation:
+        local-origin: "https://<<NGROK URL HERE>>"
+```
+
+### 3. Configure the trusted certificate authority certificates
+
+The Web eID authentication token validation algorithm needs to know which intermediate certificate authorities (CA) are trusted to issue the eID authentication certificates. CA certificates are loaded either from `.cer` files in the profile-specific subdirectory of the [`certs`resource directory](src/main/resources/certs) or the [truststore file](src/main/resources/certs/prod/trusted_certificates.jks). By default, Estonian eID test CA certificates are included in the `dev` profile and production CA certificates in the `prod` profile.
+
+In case you need to provide your own CA certificates, either add the `.cer` files to the `src/main/resources/certs/{dev,prod}` profile-specific directory or add the certificates to the truststore file.
+
+### 4. Choose either the `dev` or `prod` profile
+
+If you have a test eID card, use the `dev` profile. In this case access to paid services is not required, but you need to upload the authentication and signing certificates of the test card to the test OCSP responder database as described in section _[Using DigiDoc4j in test mode with the `dev` profile](#using-digidoc4j-in-test-mode-with-the-dev-profile)_ below. The `dev` profile is activated by default.
+
+If you only have a production eID card, use the `prod` profile. You can still test authentication without further configuration; however, for digital signing to work, you need access to a paid timestamping service as described in section [_Using DigiDoc4j in production mode with the `prod` profile_](#using-digidoc4j-in-production-mode-with-the-prod-profile) below.
+
+You can specify the profile as a command-line argument to the Maven wrapper command `./mvnw`, for example `./mvnw -Pprod ...`.
+
+### 5. Run the application
+
+Spring Boot web applications can be run from the command-line. You need to have the Java Development Kit 8 installed for building the application package and running the application.
+
+Build and run the application with the following command in a terminal window:
+
+```sh
+./mvnw spring-boot:run
+```
+
+This will activate the default `dev` profile and launch the built-in Tomcat web server on port 8080 that was forwarded to _ngrok_ in step 1.
+
+When the application has started, open the _ngrok_ HTTPS URL in your preferred web browser and follow instructions on the front page.
+
+## Table of contents
+
+* [Quickstart](#quickstart)
+* [Overview of the project](#overview-of-the-project)
+  + [Overview of the source code](#overview-of-the-source-code)
+  + [Configuration](#configuration)
+  + [Integration with Web eID components](#integration-with-web-eid-components)
+  + [Integration with DigiDoc4j components](#integration-with-digidoc4j-components)
+    - [Using the Certificates' *Authority Information Access* (AIA) extension in DigiDoc4j](#using-the-certificates-_authority-information-access_-aia-extension-in-digidoc4j)
+    - [Using DigiDoc4j in test mode with the `dev` profile](#using-digidoc4j-in-test-mode-with-the-dev-profile)
+    - [Using DigiDoc4j in production mode with the `prod` profile](#using-digidoc4j-in-production-mode-with-the-prod-profile)
+  + [Stateful and stateless authentication](#stateful-and-stateless-authentication)
+  + [Assuring that the signing and authentication certificate subjects match](#assuring-that-the-signing-and-authentication-certificate-subjects-match)
+* [HTTPS support](#https-support)
+  + [How to verify that HTTPS is configured properly](#how-to-verify-that-https-is-configured-properly)
+* [Deployment](#deployment)
+* [Frequently asked questions](#frequently-asked-questions)
+  + [Why do I sometimes get the `403 Forbidden` response during authentication?](#why-do-i-sometimes-get-the-403-forbidden-response-during-authentication)
+  + [Why do I get the `"Access denied to TSP service"` error?](#why-do-i-get-the-access-denied-to-tsp-service-error)
+
+## Overview of the project
+
+This repository contains the code of a minimal Spring Boot web application that demonstrates how to use Web eID for strong authentication and digital signing. It makes use of the following technologies:
+
+-   Spring Web MVC with REST support,
+-   the Thymeleaf template engine,
+-   Spring Security,
+-   the Spring cache abstraction and the [_Caffeine_](https://github.com/ben-manes/caffeine) _JCache_-compatible caching implementation,
+-   the Web eID authentication token validation library [_web-eid-authtoken-validation-java_](https://github.com/web-eid/web-eid-authtoken-validation-java),
+-   the Web eID JavaScript library [_web-eid.js_](https://github.com/web-eid/web-eid.js),
+-   the digital signing library [_DigiDoc4j_](https://github.com/open-eid/digidoc4j).
+
+The project uses Maven for managing the dependencies and building the application. Maven project configuration file `pom.xml` is in the root of the project.
+
+There is also a Docker Compose configuration file `docker-compose.yml` in the root of the project for building the application Docker image as described in section [_Deployment_](#deployment) below.
+
+### Overview of the source code
+
+The source code folder `src` contains the application source code and resources in the `main` subdirectory and tests in the `test` subdirectory.
+
+The `src/main/java/org/webeid/example` directory contains the Spring Boot application Java class and the following sub-folders:
+
+-   `config`: Spring and HTTP security configuration, Web eID authentication token validation library configuration, cache configuration, trusted CA certificates loading etc,
+-   `security`: Web eID authentication token validation library integration with Spring Security via an `AuthenticationProvider` and `AuthenticationProcessingFilter`,
+-   `service`: Web eID signing service implementation that uses DigiDoc4j, and DigiDoc4j runtime configuration,
+-   `web`: Spring Web MVC controller for the welcome page and Spring Web REST controllers that provide endpoints
+    -   for getting the challenge nonce used by the authentication token validation library,
+    -   for digital signing.
+
+The `src/resources` directory contains the resources used by the application:
+
+-   `application.yaml`: main configuration file that is shared by all profiles,
+-   `application-{dev,prod}.yaml`: profile-specific configuration files,
+-   `application.properties`: activates the `dev` profile by default,
+-   `certs`: CA certificates in profile-specific subdirectories,
+-   `static`: web server static content, including CSS and JavaScript files,
+-   `templates`: Thymeleaf templates.
+
+The `src/tests` directory contains the application test suite. The most important test is the `WebApplicationTest.testHappyFlow_LoginPrepareSignDownload()` method that tests the full authentication and digital signing workflow.
+
+### Configuration
+
+As described in section [_4. Choose either the `dev` or `prod` profile_](#4-choose-either-the-dev-or-prod-profile) above, the application has two different configuration profiles: `dev` profile for running the application in development mode and `prod` profile for production mode. The `dev` profile is activated by default.
+
+The profile-specific configuration files `src/main/resources/application-{dev,prod}.yaml` contain the `web-eid-auth-token.validation.use-digidoc4j-prod-configuration` setting that configures DigiDoc4j either in test or production mode, and a setting for configuring the origin URL as described in section [_2. Configure the origin URL_](#2-configure-the-origin-url) above. Additionally, the `web-eid-auth-token.validation.truststore-password` setting specifies the truststore password used in the `prod` profile.
+
+The main configuration file `src/main/resources/application.yaml` is shared by all profiles and contains logging configuration and settings that make the session cookie secure behind a reverse proxy as described in section [_HTTPS support_](#https-support) below.
+
+Besides configuration settings, the trusted certificate authority certificates may need to be configured as described in section [_3. Configure the trusted certificate authority certificates_](#3-configure-the-trusted-certificate-authority-certificates) above.
+
+### Integration with Web eID components
+
+Detailed overview of Java code changes required for integrating Web eID authentication token validation is available in the [_web-eid-authtoken-validation-java_ library README](https://github.com/web-eid/web-eid-authtoken-validation-java/blob/main/README.md). There are instructions for configuring the cache, nonce generator, trusted certificate authority certificates, authentication token validator, Spring Security authentication integration and REST endpoints. The corresponding Java code is in the `src/main/java/org/webeid/example/{config,security}` and `src/.../web/rest` directories.
+
+A similar overview of JavaScript and HTML code changes required for authentication and digital signing with Web eID is available in the [web-eid.js library README](https://github.com/web-eid/web-eid.js/blob/main/README.md). The corresponding JavaScript and HTML code is in the `src/resources/{static,templates}` directories.
+
+### Integration with DigiDoc4j components
+
+Java code examples how to create and sign data containers that hold signed file objects and digital signatures is available in the [DigiDoc4j wiki](https://github.com/open-eid/digidoc4j/wiki/Examples-of-using-it). Further information and links to the API documentation is available in the project [README](https://github.com/open-eid/digidoc4j/blob/master/README.md). The corresponding Java code is in the `src/main/java/org/webeid/example/service` and `src/.../web/rest` directories.
+
+#### Using the Certificates' _Authority Information Access_ (AIA) extension in DigiDoc4j
+
+In the `SigningService` constructor, we have configured DigiDoc4j to use the AIA extension that contains the certificates’ OCSP service location with `signingConfiguration.setPreferAiaOcsp(true)`. **Note that there may be legal limitations to using AIA URLs during signing** as the services behind these URLs provide different security and SLA guarantees than dedicated OCSP services, so you should consider using a dedicated OCSP service instead according to instructions in DigiDoc4j documentation. See also the [corresponding section in _web-eid-authtoken-validation-java_ README](https://github.com/web-eid/web-eid-authtoken-validation-java/blob/main/README.md#certificates-authority-information-access-aia-extension).
+
+#### Using DigiDoc4j in test mode with the `dev` profile
+
+When using DigiDoc4j in test mode with a test eID card, you need to upload the corresponding authentication and signing certificates to the _demo.sk.ee_ OCSP responder database at https://demo.sk.ee/upload_cert/index.php, according to instructions on the webpage. You can choose the certificate status during upload, so you can test bad statuses as well as needed.
+
+#### Using DigiDoc4j in production mode with the `prod` profile
+
+When using DigiDoc4j in production mode, you need access to a paid timestamping service by registering your server's IP address with the service provider. Besides that, you may want to use a paid OCSP service for legal and reliability reasons as described above.
+
+### Stateful and stateless authentication
+
+In the current example, we use the classical stateful Spring Security session cookie-based authentication mechanism where a cookie that contains the user session ID is set during successful login and session data is stored at sever side. Cookie-based authentication must be protected against cross-site request forgery (CSRF) attacks and extra measures must be taken to secure the cookies by serving them only over HTTPS and setting the _HttpOnly_, _Secure_ and _SameSite_ attributes.
+
+A common alternative to stateful authentication is stateless authentication with JSON Web Tokens (JWT) where the session data resides inside the token at client side. The Web eID authentication token itself is a JWT token, but it should be considered a temporary authentication information carrier during login and should not be used afterwards. In case you want to use JWT authentication, you should issue a new JWT after successful Web eID authentication token validation.
+
+### Assuring that the signing and authentication certificate subjects match
+
+It usually required to verify that the signing certificate subject matches the authentication certificate subject by assuring that both ID codes match. This check is implemented at the beginning of the `SigningService.prepareContainer()` method.
 
 ## HTTPS support
 
@@ -21,7 +177,7 @@ The first approach is straightforward and documented in the [official documentat
 
 The second approach, running behind a reverse proxy, is common in enterprise
 deployments and the configuration is more involved. We assume this setup in the
-current project and document it in this section.
+current project and document it in this section to facilitate production deployment.
 
 Enabling HTTPS support when running behind a reverse proxy server requires
 configuration of both the proxy server and the Spring Boot application.
@@ -48,9 +204,7 @@ Tomcat web server automatically if it detects the presence of the
     server.tomcat.remote-ip-header=x-forwarded-for
     server.tomcat.protocol-header=x-forwarded-proto
 
-These settings are already enabled in the default
-[`application.properties`](src/main/resources/application.properties). See
-chapter
+These settings are already enabled in the main configuration file `application.yaml`. See chapter
 [9.3.12](https://docs.spring.io/spring-boot/docs/2.2.5.RELEASE/reference/htmlsingle/#howto-use-behind-a-proxy-server)
 and
 [9.14.3](https://docs.spring.io/spring-boot/docs/2.2.5.RELEASE/reference/htmlsingle/#howto-enable-https)
@@ -59,103 +213,33 @@ in the official documentation for further details.
 ### How to verify that HTTPS is configured properly
 
 When HTTPS support is configured properly, all responses will have the HTTP
-Strict Transport Security (HSTS) header and the `JSESSIONID` session cookie has
+Strict Transport Security (HSTS) header and the `JSESSIONID` session cookie has the
 `Secure` attribute set.
 
-### Using a HTTPS proxy during development
-
-Use e.g. [_ngrok_](https://ngrok.com/) during development to get a reverse
-proxy with a trusted HTTPS certificates. Download _ngrok_ and run it locally by
-providing the protocol and Spring Boot application port as follows:
-
-    ngrok http 8080
-
-## Configuration
-
-Open application.yaml file and set up the `local-origin` and `fingerprint` fields:
-
-- The `local-origin` field must contain the url, which was generated by ngrok.
-- The `fingerprint` field must contain the SHA256 fingerprint of the certificate, which you can retrieve from the browser by navigating to the ngrok url and exploring the server certificate details. Here is a [quick guide](https://www.globalsign.com/en/blog/how-to-view-ssl-certificate-details) and for different browsers.
-
-```yaml
-spring:
-  profiles: dev
-  servlet:
-    multipart:
-      max-file-size: 5000KB
-      max-request-size: 5000KB
-token:
-  validation:
-    local-origin: "https://ade0973a6557.ngrok.io"
-    fingerprint: "11:D8:AE:60:EC:19:10:C7:94:D7:4C:82:C8:0D:96:B2:07:88:B5:6A:D2:65:FF:F9:B5:14:C8:75:F7:90:08:E1"
-    keystore-password: "changeit"
-```
+## Deployment
 
-Additionally, you can set up the keystore password, and the maximum size of the files to be uploaded.
+A Docker Compose configuration file `docker-compose.yml` is available in the root of the project for packaging the application in a Docker image so that it can be deployed with a container enginge.
 
-## Running
+Build the Docker image with [Jib](https://github.com/GoogleContainerTools/jib) as follows:
 
-Once the `local-origin` and `fingerprint` fields are set, you can run the application with the following command:
 ```sh
-./mvnw spring-boot:run
-```
-and then navigate the browser to the url, that was generated by ngrok.
-
-
-## Testing
-
-In case you don't have the Web eID extension installed or want to test `web-eid.js` message handling manually,
-you can use the browser developer tools to mock the authentication response from the extension with
-`window.postMessage()` as follows:
-
-1. Click *Authenticate*
-2. Paste the following snippet into developer tools console:
-
-```js
-var loginResponse = await fetch("/auth/login", {
-    method: "POST",
-    headers: {
-      'Content-Type': 'application/json'
-    },
-    body: '{"auth-token":"eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlFQXpDQ0EyV2dBd0lCQWdJUU9Xa0JXWE5ESm0xYnlGZDNYc1drdmpBS0JnZ3Foa2pPUFFRREJEQmdNUXN3Q1FZRFZRUUdFd0pGUlRFYk1Ca0dBMVVFQ2d3U1Uwc2dTVVFnVTI5c2RYUnBiMjV6SUVGVE1SY3dGUVlEVlFSaERBNU9WRkpGUlMweE1EYzBOekF4TXpFYk1Ca0dBMVVFQXd3U1ZFVlRWQ0J2WmlCRlUxUkZTVVF5TURFNE1CNFhEVEU0TVRBeE9EQTVOVEEwTjFvWERUSXpNVEF4TnpJeE5UazFPVm93ZnpFTE1Ba0dBMVVFQmhNQ1JVVXhLakFvQmdOVkJBTU1JVXJEbFVWUFVrY3NTa0ZCU3kxTFVrbFRWRXBCVGl3ek9EQXdNVEE0TlRjeE9ERVFNQTRHQTFVRUJBd0hTc09WUlU5U1J6RVdNQlFHQTFVRUtnd05Ta0ZCU3kxTFVrbFRWRXBCVGpFYU1CZ0dBMVVFQlJNUlVFNVBSVVV0TXpnd01ERXdPRFUzTVRnd2RqQVFCZ2NxaGtqT1BRSUJCZ1VyZ1FRQUlnTmlBQVI1azFsWHp2U2VJOU8vMXMxcFp2amhFVzhuSXRKb0cwRUJGeG1MRVk2UzdraTF2RjJRM1RFRHg2ZE56dEkxWHR4OTZjczhyNHpZVHdkaVFvRGc3azNkaVV1UjluVFdHeFFFTU8xRkRvNFk5ZkFtaVBHV1QrK0d1T1ZvWlFZM1h4aWpnZ0hETUlJQnZ6QUpCZ05WSFJNRUFqQUFNQTRHQTFVZER3RUIvd1FFQXdJRGlEQkhCZ05WSFNBRVFEQStNRElHQ3lzR0FRUUJnNUVoQVFJQk1DTXdJUVlJS3dZQkJRVUhBZ0VXRldoMGRIQnpPaTh2ZDNkM0xuTnJMbVZsTDBOUVV6QUlCZ1lFQUk5NkFRSXdId1lEVlIwUkJCZ3dGb0VVTXpnd01ERXdPRFUzTVRoQVpXVnpkR2t1WldVd0hRWURWUjBPQkJZRUZPUXN2VFFKRUJWTU1TbWh5Wlg1YmliWUp1YkFNR0VHQ0NzR0FRVUZCd0VEQkZVd1V6QlJCZ1lFQUk1R0FRVXdSekJGRmo5b2RIUndjem92TDNOckxtVmxMMlZ1TDNKbGNHOXphWFJ2Y25rdlkyOXVaR2wwYVc5dWN5MW1iM0l0ZFhObExXOW1MV05sY25ScFptbGpZWFJsY3k4VEFrVk9NQ0FHQTFVZEpRRUIvd1FXTUJRR0NDc0dBUVVGQndNQ0JnZ3JCZ0VGQlFjREJEQWZCZ05WSFNNRUdEQVdnQlRBaEprcHhFNmZPd0kwOXBuaENsWUFDQ2srZXpCekJnZ3JCZ0VGQlFjQkFRUm5NR1V3TEFZSUt3WUJCUVVITUFHR0lHaDBkSEE2THk5aGFXRXVaR1Z0Ynk1emF5NWxaUzlsYzNSbGFXUXlNREU0TURVR0NDc0dBUVVGQnpBQ2hpbG9kSFJ3T2k4dll5NXpheTVsWlM5VVpYTjBYMjltWDBWVFZFVkpSREl3TVRndVpHVnlMbU55ZERBS0JnZ3Foa2pPUFFRREJBT0Jpd0F3Z1ljQ1FnSDFVc21NZHRMWnRpNTFGcTJRUjR3VWtBd3BzbmhzQlYySFFxVVhGWUJKN0VYbkxDa2FYamRaS2tIcEFCZk0wUUV4N1VVaGFJNGk1M2ppSjdFMVk3V09BQUpCRFg0ejYxcG5pSEphcEkxYmtNSWlKUS90aTdoYThmZEpTTVNwQWRzNUN5SEl5SGtReldsVnk4NmY5bUE3RXUzb1JPLzFxK2VGVXpEYk5OM1Z2eTdnUVdRPSJdfQ.eyJhdWQiOlsiaHR0cHM6Ly9yaWEuZWUiLCJ1cm46Y2VydDpzaGEtMjU2OjZmMGRmMjQ0ZTRhODU2Yjk0YjNiM2I0NzU4MmEwYTUxYTMyZDY3NGRiYzcxMDcyMTFlZDIzZDRiZWM2ZDljNzIiXSwiZXhwIjoiMTU4Njg3MTE2OSIsImlhdCI6IjE1ODY4NzA4NjkiLCJpc3MiOiJ3ZWItZWlkIGFwcCB2MC45LjAtMS1nZTZlODlmYSIsIm5vbmNlIjoiMTIzNDU2NzgxMjM0NTY3ODEyMzQ1Njc4MTIzNDU2NzgiLCJzdWIiOiJKw5VFT1JHLEpBQUstS1JJU1RKQU4sMzgwMDEwODU3MTgifQ.0Y5CdMiSZ14rOnd7sbp-XeBQ7qrJVd21yTmAbiRnzAXtwqW8ZROg4jL4J7bpQ2fwyUz4-dVwLoVRVnxfJY82b8NXuxXrDb-8MXXmVYrMW0q0kPbEzqFbEnPYHjNnKAN0"}'
-});
-
-window.postMessage({
-    action: webeid.Action.AUTHENTICATE_SUCCESS,
-    response: {
-        status: 200,
-        headers: {},
-        body: await loginResponse.json()
-    }
-});
+./mvnw -Pprod package com.google.cloud.tools:jib-maven-plugin:dockerBuild
 ```
 
-## Testing with curl
+and deploy with Docker Compose as follows:
 
-```shell script
-$ curl 'http://localhost:8080/auth/login' -H 'Content-type: application/json' --data-raw '{"auth-token":"eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlFQXpDQ0EyV2dBd0lCQWdJUU9Xa0JXWE5ESm0xYnlGZDNYc1drdmpBS0JnZ3Foa2pPUFFRREJEQmdNUXN3Q1FZRFZRUUdFd0pGUlRFYk1Ca0dBMVVFQ2d3U1Uwc2dTVVFnVTI5c2RYUnBiMjV6SUVGVE1SY3dGUVlEVlFSaERBNU9WRkpGUlMweE1EYzBOekF4TXpFYk1Ca0dBMVVFQXd3U1ZFVlRWQ0J2WmlCRlUxUkZTVVF5TURFNE1CNFhEVEU0TVRBeE9EQTVOVEEwTjFvWERUSXpNVEF4TnpJeE5UazFPVm93ZnpFTE1Ba0dBMVVFQmhNQ1JVVXhLakFvQmdOVkJBTU1JVXJEbFVWUFVrY3NTa0ZCU3kxTFVrbFRWRXBCVGl3ek9EQXdNVEE0TlRjeE9ERVFNQTRHQTFVRUJBd0hTc09WUlU5U1J6RVdNQlFHQTFVRUtnd05Ta0ZCU3kxTFVrbFRWRXBCVGpFYU1CZ0dBMVVFQlJNUlVFNVBSVVV0TXpnd01ERXdPRFUzTVRnd2RqQVFCZ2NxaGtqT1BRSUJCZ1VyZ1FRQUlnTmlBQVI1azFsWHp2U2VJOU8vMXMxcFp2amhFVzhuSXRKb0cwRUJGeG1MRVk2UzdraTF2RjJRM1RFRHg2ZE56dEkxWHR4OTZjczhyNHpZVHdkaVFvRGc3azNkaVV1UjluVFdHeFFFTU8xRkRvNFk5ZkFtaVBHV1QrK0d1T1ZvWlFZM1h4aWpnZ0hETUlJQnZ6QUpCZ05WSFJNRUFqQUFNQTRHQTFVZER3RUIvd1FFQXdJRGlEQkhCZ05WSFNBRVFEQStNRElHQ3lzR0FRUUJnNUVoQVFJQk1DTXdJUVlJS3dZQkJRVUhBZ0VXRldoMGRIQnpPaTh2ZDNkM0xuTnJMbVZsTDBOUVV6QUlCZ1lFQUk5NkFRSXdId1lEVlIwUkJCZ3dGb0VVTXpnd01ERXdPRFUzTVRoQVpXVnpkR2t1WldVd0hRWURWUjBPQkJZRUZPUXN2VFFKRUJWTU1TbWh5Wlg1YmliWUp1YkFNR0VHQ0NzR0FRVUZCd0VEQkZVd1V6QlJCZ1lFQUk1R0FRVXdSekJGRmo5b2RIUndjem92TDNOckxtVmxMMlZ1TDNKbGNHOXphWFJ2Y25rdlkyOXVaR2wwYVc5dWN5MW1iM0l0ZFhObExXOW1MV05sY25ScFptbGpZWFJsY3k4VEFrVk9NQ0FHQTFVZEpRRUIvd1FXTUJRR0NDc0dBUVVGQndNQ0JnZ3JCZ0VGQlFjREJEQWZCZ05WSFNNRUdEQVdnQlRBaEprcHhFNmZPd0kwOXBuaENsWUFDQ2srZXpCekJnZ3JCZ0VGQlFjQkFRUm5NR1V3TEFZSUt3WUJCUVVITUFHR0lHaDBkSEE2THk5aGFXRXVaR1Z0Ynk1emF5NWxaUzlsYzNSbGFXUXlNREU0TURVR0NDc0dBUVVGQnpBQ2hpbG9kSFJ3T2k4dll5NXpheTVsWlM5VVpYTjBYMjltWDBWVFZFVkpSREl3TVRndVpHVnlMbU55ZERBS0JnZ3Foa2pPUFFRREJBT0Jpd0F3Z1ljQ1FnSDFVc21NZHRMWnRpNTFGcTJRUjR3VWtBd3BzbmhzQlYySFFxVVhGWUJKN0VYbkxDa2FYamRaS2tIcEFCZk0wUUV4N1VVaGFJNGk1M2ppSjdFMVk3V09BQUpCRFg0ejYxcG5pSEphcEkxYmtNSWlKUS90aTdoYThmZEpTTVNwQWRzNUN5SEl5SGtReldsVnk4NmY5bUE3RXUzb1JPLzFxK2VGVXpEYk5OM1Z2eTdnUVdRPSJdfQ.eyJhdWQiOlsiaHR0cHM6Ly9yaWEuZWUiLCJ1cm46Y2VydDpzaGEtMjU2OjZmMGRmMjQ0ZTRhODU2Yjk0YjNiM2I0NzU4MmEwYTUxYTMyZDY3NGRiYzcxMDcyMTFlZDIzZDRiZWM2ZDljNzIiXSwiZXhwIjoiMTU4Njg3MTE2OSIsImlhdCI6IjE1ODY4NzA4NjkiLCJpc3MiOiJ3ZWItZWlkIGFwcCB2MC45LjAtMS1nZTZlODlmYSIsIm5vbmNlIjoiMTIzNDU2NzgxMjM0NTY3ODEyMzQ1Njc4MTIzNDU2NzgiLCJzdWIiOiJKw5VFT1JHLEpBQUstS1JJU1RKQU4sMzgwMDEwODU3MTgifQ.0Y5CdMiSZ14rOnd7sbp-XeBQ7qrJVd21yTmAbiRnzAXtwqW8ZROg4jL4J7bpQ2fwyUz4-dVwLoVRVnxfJY82b8NXuxXrDb-8MXXmVYrMW0q0kPbEzqFbEnPYHjNnKAN0"}'
-{"sub":"JÕEORG,JAAK-KRISTJAN,38001085718","auth":["ROLE_USER"]}
+```sh
+docker-compose up -d
 ```
 
-## Formatting code
-
-We use *prettier-java* for formatting code, install and run it as follows:
+The application will run in production mode with `prod` profile settings.
 
-```shell script
-npm install -g prettier prettier-plugin-java
-prettier --write "**/*.{java,js,html}"
-```
+## Frequently asked questions
 
-## Deployment
+### Why do I sometimes get the `403 Forbidden` response during authentication?
 
-Build Docker image with Jib as follows:
+This is most likely caused by an expired CSRF token. Please refresh the page and try again.
 
-```sh
-mvn com.google.cloud.tools:jib-maven-plugin:dockerBuild
-```
+### Why do I get the `"Access denied to TSP service"` error?
 
-and deploy with Docker Compose as follows:
-
-```sh
-docker-compose up -d
-```
+This error means that access was denied to the timestamping service. You are running in production mode with the `prod` profile and need to register for paid access to the timestamping service as described in section [_Using DigiDoc4j in production mode with the `prod` profile_](#using-digidoc4j-in-production-mode-with-the-prod-profile) above.
diff --git a/example/docker-compose.yml b/example/docker-compose.yml
index 005e79e..d415e6a 100644
--- a/example/docker-compose.yml
+++ b/example/docker-compose.yml
@@ -3,5 +3,8 @@ services:
   web-eid-springboot-example:
     image: web-eid-springboot-example:1.0.0-SNAPSHOT
     restart: always
+    environment:
+      JAVA_TOOL_OPTIONS: '-Dspring.profiles.active=prod'
     ports:
       - '127.0.0.1:8380:8080'
+
diff --git a/example/mvnw b/example/mvnw
old mode 100644
new mode 100755
diff --git a/example/pom.xml b/example/pom.xml
index 4a44fee..cf8849b 100644
--- a/example/pom.xml
+++ b/example/pom.xml
@@ -134,6 +134,24 @@
 		</plugins>
 	</build>
 
+	<profiles>
+		<profile>
+			<id>dev</id>
+			<activation>
+				<activeByDefault>true</activeByDefault>
+			</activation>
+			<properties>
+				<spring.profiles.active>dev</spring.profiles.active>
+			</properties>
+		</profile>
+		<profile>
+			<id>prod</id>
+			<properties>
+				<spring.profiles.active>prod</spring.profiles.active>
+			</properties>
+		</profile>
+	</profiles>
+
 	<repositories>
 		<repository>
 			<id>gitlab</id>
diff --git a/example/src/main/java/org/webeid/example/config/ValidationConfiguration.java b/example/src/main/java/org/webeid/example/config/ValidationConfiguration.java
index eb79607..f91b953 100644
--- a/example/src/main/java/org/webeid/example/config/ValidationConfiguration.java
+++ b/example/src/main/java/org/webeid/example/config/ValidationConfiguration.java
@@ -23,6 +23,9 @@
 package org.webeid.example.config;
 
 import com.github.benmanes.caffeine.jcache.spi.CaffeineCachingProvider;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.io.Resource;
@@ -60,8 +63,15 @@
 @Configuration
 public class ValidationConfiguration {
 
+    private static final Logger LOG = LoggerFactory.getLogger(ValidationConfiguration.class);
+
     private static final String CACHE_NAME = "nonceCache";
     private static final long NONCE_TTL_MINUTES = 5;
+    private static final String CERTS_RESOURCE_PATH = "/certs/";
+    public static final String TRUSTED_CERTIFICATES_JKS = "trusted_certificates.jks";
+
+    @Value("${spring.profiles.active}")
+    private String activeProfile;
 
     @Bean
     public CacheManager cacheManager() {
@@ -88,14 +98,14 @@ public NonceGenerator generator() {
     }
 
     @Bean
-    public X509Certificate[] loadTrustedCACertificatesFromResources() {
+    public X509Certificate[] loadTrustedCACertificatesFromCerFiles() {
         List<X509Certificate> caCertificates = new ArrayList<>();
 
         try {
             CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
 
             PathMatchingResourcePatternResolver resolver = new PathMatchingResourcePatternResolver();
-            Resource[] resources = resolver.getResources("/certs/*.cer");
+            Resource[] resources = resolver.getResources(CERTS_RESOURCE_PATH + activeProfile + "/*.cer");
 
             for (Resource resource : resources) {
                 X509Certificate caCertificate = (X509Certificate) certFactory.generateCertificate(resource.getInputStream());
@@ -110,12 +120,16 @@ public X509Certificate[] loadTrustedCACertificatesFromResources() {
     }
 
     @Bean
-    public X509Certificate[] loadTrustedCACertificatesFromKeyStore() {
+    public X509Certificate[] loadTrustedCACertificatesFromTrustStore() {
         List<X509Certificate> caCertificates = new ArrayList<>();
 
-        try (InputStream is = ValidationConfiguration.class.getResourceAsStream("/certs/trusted_certificates.jks")) {
+        try (InputStream is = ValidationConfiguration.class.getResourceAsStream(CERTS_RESOURCE_PATH + activeProfile + "/" + TRUSTED_CERTIFICATES_JKS)) {
+            if (is == null) {
+                LOG.info("Truststore file {} not found for {} profile", TRUSTED_CERTIFICATES_JKS, activeProfile);
+                return new X509Certificate[0];
+            }
             KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
-            keystore.load(is, yamlConfig().getKeystorePassword().toCharArray());
+            keystore.load(is, yamlConfig().getTrustStorePassword().toCharArray());
             Enumeration<String> aliases = keystore.aliases();
             while (aliases.hasMoreElements()) {
                 String alias = aliases.nextElement();
@@ -136,8 +150,8 @@ public AuthTokenValidator validator() {
             return new AuthTokenValidatorBuilder()
                     .withSiteOrigin(URI.create(yamlConfig().getLocalOrigin()))
                     .withNonceCache(nonceCache())
-                    .withTrustedCertificateAuthorities(loadTrustedCACertificatesFromResources())
-                    .withTrustedCertificateAuthorities(loadTrustedCACertificatesFromKeyStore())
+                    .withTrustedCertificateAuthorities(loadTrustedCACertificatesFromCerFiles())
+                    .withTrustedCertificateAuthorities(loadTrustedCACertificatesFromTrustStore())
                     .build();
         } catch (JceException e) {
             throw new RuntimeException("Error building the Web eID auth token validator.", e);
diff --git a/example/src/main/java/org/webeid/example/config/YAMLConfig.java b/example/src/main/java/org/webeid/example/config/YAMLConfig.java
index 7a56bc2..3400a61 100644
--- a/example/src/main/java/org/webeid/example/config/YAMLConfig.java
+++ b/example/src/main/java/org/webeid/example/config/YAMLConfig.java
@@ -38,8 +38,8 @@ public class YAMLConfig {
     private String localOrigin;
     private String fingerprint;
 
-    @Value("keystore-password")
-    private String keystorePassword;
+    @Value("truststore-password")
+    private String trustStorePassword;
 
     @Value("#{new Boolean('${web-eid-auth-token.validation.use-digidoc4j-prod-configuration}'.trim())}")
     private Boolean useDigiDoc4jProdConfiguration;
@@ -63,12 +63,12 @@ public void setFingerprint(String fingerprint) {
         this.fingerprint = fingerprint;
     }
 
-    public String getKeystorePassword() {
-        return keystorePassword;
+    public String getTrustStorePassword() {
+        return trustStorePassword;
     }
 
-    public void setKeystorePassword(String keystorePassword) {
-        this.keystorePassword = keystorePassword;
+    public void setTrustStorePassword(String trustStorePassword) {
+        this.trustStorePassword = trustStorePassword;
     }
 
     public boolean getUseDigiDoc4jProdConfiguration() {
diff --git a/example/src/main/resources/application-dev.yaml b/example/src/main/resources/application-dev.yaml
new file mode 100644
index 0000000..748b53f
--- /dev/null
+++ b/example/src/main/resources/application-dev.yaml
@@ -0,0 +1,4 @@
+web-eid-auth-token:
+  validation:
+    use-digidoc4j-prod-configuration: false
+    local-origin: "https://528bc9f21520.ngrok.io"
diff --git a/example/src/main/resources/application-prod.yaml b/example/src/main/resources/application-prod.yaml
new file mode 100644
index 0000000..709d314
--- /dev/null
+++ b/example/src/main/resources/application-prod.yaml
@@ -0,0 +1,5 @@
+web-eid-auth-token:
+  validation:
+    use-digidoc4j-prod-configuration: true
+    local-origin: "https://web-eid.eu"
+    truststore-password: "changeit"
diff --git a/example/src/main/resources/application.yaml b/example/src/main/resources/application.yaml
index 4c82178..ae50d3b 100644
--- a/example/src/main/resources/application.yaml
+++ b/example/src/main/resources/application.yaml
@@ -1,10 +1,3 @@
-spring:
-  profiles: dev
-  servlet:
-    multipart:
-      max-file-size: 5000KB
-      max-request-size: 5000KB
-
 # Make session cookie secure behind a reverse proxy, see
 # - https://docs.spring.io/spring-boot/docs/2.2.5.RELEASE/reference/htmlsingle/#howto-use-behind-a-proxy-server
 # - https://docs.spring.io/spring-boot/docs/2.2.5.RELEASE/reference/htmlsingle/#howto-enable-https
@@ -19,10 +12,4 @@ logging:
   level:
     org.webeid.security: DEBUG
     org.webeid.example: DEBUG
-
-web-eid-auth-token:
-  validation:
-    use-digidoc4j-prod-configuration: true
-    local-origin: "https://web-eid.eu"
-    fingerprint: "11:D8:AE:60:EC:19:10:C7:94:D7:4C:82:C8:0D:96:B2:07:88:B5:6A:D2:65:FF:F9:B5:14:C8:75:F7:90:08:E1"
-    keystore-password: "changeit"
+    org.springframework.security.web.csrf.CsrfFilter: DEBUG
diff --git a/example/src/test/resources/certs/TEST_of_ESTEID-SK_2015.cer b/example/src/main/resources/certs/dev/TEST_of_ESTEID-SK_2015.cer
similarity index 100%
rename from example/src/test/resources/certs/TEST_of_ESTEID-SK_2015.cer
rename to example/src/main/resources/certs/dev/TEST_of_ESTEID-SK_2015.cer
diff --git a/example/src/test/resources/certs/TEST_of_ESTEID2018.cer b/example/src/main/resources/certs/dev/TEST_of_ESTEID2018.cer
similarity index 100%
rename from example/src/test/resources/certs/TEST_of_ESTEID2018.cer
rename to example/src/main/resources/certs/dev/TEST_of_ESTEID2018.cer
diff --git a/example/src/main/resources/certs/ESTEID-SK_2015.cer b/example/src/main/resources/certs/prod/ESTEID-SK_2015.cer
similarity index 100%
rename from example/src/main/resources/certs/ESTEID-SK_2015.cer
rename to example/src/main/resources/certs/prod/ESTEID-SK_2015.cer
diff --git a/example/src/main/resources/certs/ESTEID2018.cer b/example/src/main/resources/certs/prod/ESTEID2018.cer
similarity index 100%
rename from example/src/main/resources/certs/ESTEID2018.cer
rename to example/src/main/resources/certs/prod/ESTEID2018.cer
diff --git a/example/src/main/resources/certs/trusted_certificates.jks b/example/src/main/resources/certs/prod/trusted_certificates.jks
similarity index 100%
rename from example/src/main/resources/certs/trusted_certificates.jks
rename to example/src/main/resources/certs/prod/trusted_certificates.jks
diff --git a/example/src/test/java/org/webeid/example/AuthenticationRestControllerTest.java b/example/src/test/java/org/webeid/example/AuthenticationRestControllerTest.java
index 660b522..71aca17 100644
--- a/example/src/test/java/org/webeid/example/AuthenticationRestControllerTest.java
+++ b/example/src/test/java/org/webeid/example/AuthenticationRestControllerTest.java
@@ -25,33 +25,25 @@
 import org.junit.jupiter.api.Test;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.context.SpringBootTest;
-import org.webeid.example.security.ajax.AjaxAuthenticationSuccessHandler;
 import org.webeid.example.web.rest.ChallengeController;
 
-import javax.servlet.http.HttpSession;
-
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.webeid.security.nonce.NonceGenerator.NONCE_LENGTH;
 
 @SpringBootTest
 class AuthenticationRestControllerTest {
-    @Autowired
-    ChallengeController authRestController;
 
     @Autowired
-    AjaxAuthenticationSuccessHandler ajaxAuthenticationSuccessHandler;
-
-    @Autowired
-    HttpSession httpSession;
+    ChallengeController authRestController;
 
     @Test
-    void contextLoads() {
-        assertThat(authRestController).isNotNull();
+    void testChallengeNonceLength() {
+        assertThat(authRestController.challenge().getNonce().length())
+                .isEqualTo(nonceGeneratorNonceBase64Length());
     }
 
-    @Test
-    void challengeNotNull() {
-        assertThat(authRestController.challenge()).isNotNull();
+    private int nonceGeneratorNonceBase64Length() {
+        return (NONCE_LENGTH * 8 + 6 - 1) / 6 + 1;
     }
 
-    // TODO: add tests here
 }
diff --git a/example/src/test/java/org/webeid/example/WebApplicationTest.java b/example/src/test/java/org/webeid/example/WebApplicationTest.java
index da36307..0add119 100644
--- a/example/src/test/java/org/webeid/example/WebApplicationTest.java
+++ b/example/src/test/java/org/webeid/example/WebApplicationTest.java
@@ -86,7 +86,7 @@ public void testRoot() throws Exception {
     }
 
     @Test
-    public void testHappyFlow_LoginUploadPrepareSignDownload() throws Exception {
+    public void testHappyFlow_LoginPrepareSignDownload() throws Exception {
 
         // Arrange
         new MockUp<SubjectCertificateNotRevokedValidator>() {
diff --git a/example/src/test/resources/application.yaml b/example/src/test/resources/application.yaml
deleted file mode 100644
index d7155cb..0000000
--- a/example/src/test/resources/application.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-spring:
-  profiles: dev
-  servlet:
-    multipart:
-      max-file-size: 5000KB
-      max-request-size: 5000KB
-web-eid-auth-token:
-  validation:
-    use-digidoc4j-prod-configuration: false
-    local-origin: "https://528bc9f21520.ngrok.io"
-    fingerprint: "unused"
-    keystore-password: "changeit"

From 1b593f8601ac6aaccc6f11a2292eb9a52fcd59aa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mart=20S=C3=B5mermaa?= <mrts.pydev@gmail.com>
Date: Tue, 31 Aug 2021 13:44:58 +0300
Subject: [PATCH 043/116] fix(doc): fix anchor in README

---
 example/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/example/README.md b/example/README.md
index ec6ae9e..b5a35d0 100644
--- a/example/README.md
+++ b/example/README.md
@@ -69,7 +69,7 @@ When the application has started, open the _ngrok_ HTTPS URL in your preferred w
   + [Configuration](#configuration)
   + [Integration with Web eID components](#integration-with-web-eid-components)
   + [Integration with DigiDoc4j components](#integration-with-digidoc4j-components)
-    - [Using the Certificates' *Authority Information Access* (AIA) extension in DigiDoc4j](#using-the-certificates-_authority-information-access_-aia-extension-in-digidoc4j)
+    - [Using the Certificates' *Authority Information Access* (AIA) extension in DigiDoc4j](#using-the-certificates-authority-information-access-aia-extension-in-digidoc4j)
     - [Using DigiDoc4j in test mode with the `dev` profile](#using-digidoc4j-in-test-mode-with-the-dev-profile)
     - [Using DigiDoc4j in production mode with the `prod` profile](#using-digidoc4j-in-production-mode-with-the-prod-profile)
   + [Stateful and stateless authentication](#stateful-and-stateless-authentication)

From 2538f44f734ad7723b16305edd335892d2ef4791 Mon Sep 17 00:00:00 2001
From: Martin Ott <pahaloom@gmail.com>
Date: Tue, 7 Sep 2021 15:16:02 +0300
Subject: [PATCH 044/116] Mentioning all the people involved in making the
 example application.

---
 example/AUTHORS.md | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 example/AUTHORS.md

diff --git a/example/AUTHORS.md b/example/AUTHORS.md
new file mode 100644
index 0000000..4eb1014
--- /dev/null
+++ b/example/AUTHORS.md
@@ -0,0 +1,7 @@
+# Contributors
+
+Here is the list of people involved in creating the example application.
+
+    Juri Letberg
+    Mart Sõmermaa
+    Martin Ott

From 004b858846af574e197366b7d6984a061fc150bc Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Tue, 26 Oct 2021 15:31:35 +0300
Subject: [PATCH 045/116] release(html,deps): Safari first public release
 v1.0.2, update web-eid-authtoken-validation-java to v1.2.0 and web-eid.js to
 v1.0.1

---
 example/pom.xml                               |    2 +-
 .../security/WebEidAuthentication.java        |    8 +-
 .../example/service/SigningService.java       |    4 +-
 .../main/resources/static/js/web-eid-1.0.0.js |  530 --------
 .../main/resources/static/js/web-eid-1.0.1.js | 1135 +++++++++++++++++
 .../src/main/resources/templates/index.html   |   17 +-
 .../welcome-with-file-upload-support.html     |    2 +-
 .../src/main/resources/templates/welcome.html |    2 +-
 8 files changed, 1154 insertions(+), 546 deletions(-)
 delete mode 100644 example/src/main/resources/static/js/web-eid-1.0.0.js
 create mode 100644 example/src/main/resources/static/js/web-eid-1.0.1.js

diff --git a/example/pom.xml b/example/pom.xml
index cf8849b..15d503b 100644
--- a/example/pom.xml
+++ b/example/pom.xml
@@ -20,7 +20,7 @@
 		<java.version>1.8</java.version>
 		<maven-surefire-plugin.version>2.22.1</maven-surefire-plugin.version>
 		<caffeine.version>2.8.5</caffeine.version>
-		<webeid.version>1.1.0</webeid.version>
+		<webeid.version>1.2.0</webeid.version>
 		<jmockit.version>1.44</jmockit.version>
 	</properties>
 
diff --git a/example/src/main/java/org/webeid/example/security/WebEidAuthentication.java b/example/src/main/java/org/webeid/example/security/WebEidAuthentication.java
index 6c5ec3c..831bb85 100644
--- a/example/src/main/java/org/webeid/example/security/WebEidAuthentication.java
+++ b/example/src/main/java/org/webeid/example/security/WebEidAuthentication.java
@@ -25,7 +25,7 @@
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
-import org.webeid.security.util.CertUtil;
+import org.webeid.security.certificate.CertificateData;
 
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
@@ -38,7 +38,7 @@ public class WebEidAuthentication extends PreAuthenticatedAuthenticationToken im
 
     public static Authentication fromCertificate(X509Certificate userCertificate, List<GrantedAuthority> authorities) throws CertificateEncodingException {
         final String principalName = getPrincipalNameFromCertificate(userCertificate);
-        final String idCode = Objects.requireNonNull(CertUtil.getSubjectIdCode(userCertificate));
+        final String idCode = Objects.requireNonNull(CertificateData.getSubjectIdCode(userCertificate));
         return new WebEidAuthentication(principalName, idCode, authorities);
     }
 
@@ -52,8 +52,8 @@ private WebEidAuthentication(String principalName, String idCode, List<GrantedAu
     }
 
     private static String getPrincipalNameFromCertificate(X509Certificate userCertificate) throws CertificateEncodingException {
-        return Objects.requireNonNull(CertUtil.getSubjectGivenName(userCertificate)) + ' ' +
-                Objects.requireNonNull(CertUtil.getSubjectSurname(userCertificate));
+        return Objects.requireNonNull(CertificateData.getSubjectGivenName(userCertificate)) + ' ' +
+                Objects.requireNonNull(CertificateData.getSubjectSurname(userCertificate));
     }
 
 }
diff --git a/example/src/main/java/org/webeid/example/service/SigningService.java b/example/src/main/java/org/webeid/example/service/SigningService.java
index ed90ad1..e971e1d 100644
--- a/example/src/main/java/org/webeid/example/service/SigningService.java
+++ b/example/src/main/java/org/webeid/example/service/SigningService.java
@@ -38,7 +38,7 @@
 import org.webeid.example.service.dto.FileDTO;
 import org.webeid.example.service.dto.SignatureDTO;
 import org.webeid.example.web.rest.SigningController;
-import org.webeid.security.util.CertUtil;
+import org.webeid.security.certificate.CertificateData;
 
 import javax.servlet.http.HttpSession;
 import javax.xml.bind.DatatypeConverter;
@@ -81,7 +81,7 @@ private HttpSession currentSession() {
      */
     public DigestDTO prepareContainer(CertificateDTO certificateDTO, WebEidAuthentication authentication) throws CertificateException, NoSuchAlgorithmException, IOException {
         X509Certificate certificate = certificateDTO.toX509Certificate();
-        if (!authentication.getIdCode().equals(CertUtil.getSubjectIdCode(certificate))) {
+        if (!authentication.getIdCode().equals(CertificateData.getSubjectIdCode(certificate))) {
             throw new IllegalArgumentException("Authenticated subject ID code differs from " +
                     "signing certificate subject ID code");
         }
diff --git a/example/src/main/resources/static/js/web-eid-1.0.0.js b/example/src/main/resources/static/js/web-eid-1.0.0.js
deleted file mode 100644
index 3a017bb..0000000
--- a/example/src/main/resources/static/js/web-eid-1.0.0.js
+++ /dev/null
@@ -1,530 +0,0 @@
-/*
- * Copyright (c) Estonian Information System Authority
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-var config = Object.freeze({
-    VERSION: "1.0.0",
-    EXTENSION_HANDSHAKE_TIMEOUT: 1000,
-    NATIVE_APP_HANDSHAKE_TIMEOUT: 5 * 1000,
-    DEFAULT_USER_INTERACTION_TIMEOUT: 2 * 60 * 1000,
-    DEFAULT_SERVER_REQUEST_TIMEOUT: 20 * 1000,
-});
-
-var ErrorCode;
-(function (ErrorCode) {
-    // Timeout errors
-    ErrorCode["ERR_WEBEID_ACTION_TIMEOUT"] = "ERR_WEBEID_ACTION_TIMEOUT";
-    ErrorCode["ERR_WEBEID_USER_TIMEOUT"] = "ERR_WEBEID_USER_TIMEOUT";
-    ErrorCode["ERR_WEBEID_SERVER_TIMEOUT"] = "ERR_WEBEID_SERVER_TIMEOUT";
-    // Health errors
-    ErrorCode["ERR_WEBEID_VERSION_MISMATCH"] = "ERR_WEBEID_VERSION_MISMATCH";
-    ErrorCode["ERR_WEBEID_VERSION_INVALID"] = "ERR_WEBEID_VERSION_INVALID";
-    ErrorCode["ERR_WEBEID_EXTENSION_UNAVAILABLE"] = "ERR_WEBEID_EXTENSION_UNAVAILABLE";
-    ErrorCode["ERR_WEBEID_NATIVE_UNAVAILABLE"] = "ERR_WEBEID_NATIVE_UNAVAILABLE";
-    ErrorCode["ERR_WEBEID_UNKNOWN_ERROR"] = "ERR_WEBEID_UNKNOWN_ERROR";
-    // Security errors
-    ErrorCode["ERR_WEBEID_CONTEXT_INSECURE"] = "ERR_WEBEID_CONTEXT_INSECURE";
-    ErrorCode["ERR_WEBEID_PROTOCOL_INSECURE"] = "ERR_WEBEID_PROTOCOL_INSECURE";
-    ErrorCode["ERR_WEBEID_TLS_CONNECTION_BROKEN"] = "ERR_WEBEID_TLS_CONNECTION_BROKEN";
-    ErrorCode["ERR_WEBEID_TLS_CONNECTION_INSECURE"] = "ERR_WEBEID_TLS_CONNECTION_INSECURE";
-    ErrorCode["ERR_WEBEID_TLS_CONNECTION_WEAK"] = "ERR_WEBEID_TLS_CONNECTION_WEAK";
-    ErrorCode["ERR_WEBEID_CERTIFICATE_CHANGED"] = "ERR_WEBEID_CERTIFICATE_CHANGED";
-    ErrorCode["ERR_WEBEID_ORIGIN_MISMATCH"] = "ERR_WEBEID_ORIGIN_MISMATCH";
-    // Third party errors
-    ErrorCode["ERR_WEBEID_SERVER_REJECTED"] = "ERR_WEBEID_SERVER_REJECTED";
-    ErrorCode["ERR_WEBEID_USER_CANCELLED"] = "ERR_WEBEID_USER_CANCELLED";
-    ErrorCode["ERR_WEBEID_NATIVE_INVALID_ARGUMENT"] = "ERR_WEBEID_NATIVE_INVALID_ARGUMENT";
-    ErrorCode["ERR_WEBEID_NATIVE_FATAL"] = "ERR_WEBEID_NATIVE_FATAL";
-    // Developer mistakes
-    ErrorCode["ERR_WEBEID_ACTION_PENDING"] = "ERR_WEBEID_ACTION_PENDING";
-    ErrorCode["ERR_WEBEID_MISSING_PARAMETER"] = "ERR_WEBEID_MISSING_PARAMETER";
-})(ErrorCode || (ErrorCode = {}));
-var ErrorCode$1 = ErrorCode;
-
-var Action;
-(function (Action) {
-    Action["STATUS"] = "web-eid:status";
-    Action["STATUS_ACK"] = "web-eid:status-ack";
-    Action["STATUS_SUCCESS"] = "web-eid:status-success";
-    Action["STATUS_FAILURE"] = "web-eid:status-failure";
-    Action["AUTHENTICATE"] = "web-eid:authenticate";
-    Action["AUTHENTICATE_ACK"] = "web-eid:authenticate-ack";
-    Action["AUTHENTICATE_SUCCESS"] = "web-eid:authenticate-success";
-    Action["AUTHENTICATE_FAILURE"] = "web-eid:authenticate-failure";
-    Action["SIGN"] = "web-eid:sign";
-    Action["SIGN_ACK"] = "web-eid:sign-ack";
-    Action["SIGN_SUCCESS"] = "web-eid:sign-success";
-    Action["SIGN_FAILURE"] = "web-eid:sign-failure";
-})(Action || (Action = {}));
-var Action$1 = Action;
-
-class CertificateChangedError extends Error {
-    constructor(message = "server certificate changed between requests") {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_CERTIFICATE_CHANGED;
-    }
-}
-
-class OriginMismatchError extends Error {
-    constructor(message = "URLs for a single operation require the same origin") {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_ORIGIN_MISMATCH;
-    }
-}
-
-const SECURE_CONTEXTS_INFO_URL = "https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts";
-class ContextInsecureError extends Error {
-    constructor(message = "Secure context required, see " + SECURE_CONTEXTS_INFO_URL) {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_CONTEXT_INSECURE;
-    }
-}
-
-class ExtensionUnavailableError extends Error {
-    constructor(message = "Web-eID extension is not available") {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_EXTENSION_UNAVAILABLE;
-    }
-}
-
-class ActionPendingError extends Error {
-    constructor(message = "same action for Web-eID browser extension is already pending") {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_ACTION_PENDING;
-    }
-}
-
-class NativeInvalidArgumentError extends Error {
-    constructor(message = "native application received an invalid argument") {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_NATIVE_INVALID_ARGUMENT;
-    }
-}
-
-class NativeFatalError extends Error {
-    constructor(message = "native application terminated with a fatal error") {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_NATIVE_FATAL;
-    }
-}
-
-class NativeUnavailableError extends Error {
-    constructor(message = "Web-eID native application is not available") {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_NATIVE_UNAVAILABLE;
-    }
-}
-
-class ServerRejectedError extends Error {
-    constructor(message = "server rejected the request") {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_SERVER_REJECTED;
-    }
-}
-
-class UserTimeoutError extends Error {
-    constructor(message = "user failed to respond in time") {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_USER_TIMEOUT;
-    }
-}
-
-class UserCancelledError extends Error {
-    constructor(message = "request was cancelled by the user") {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_USER_CANCELLED;
-    }
-}
-
-function tmpl(strings, requiresUpdate) {
-    return `Update required for Web-eID ${requiresUpdate}`;
-}
-class VersionMismatchError extends Error {
-    constructor(message, versions, requiresUpdate) {
-        if (!message) {
-            if (!requiresUpdate) {
-                message = "requiresUpdate not provided";
-            }
-            else if (requiresUpdate.extension && requiresUpdate.nativeApp) {
-                message = tmpl `${"extension and native app"}`;
-            }
-            else if (requiresUpdate.extension) {
-                message = tmpl `${"extension"}`;
-            }
-            else if (requiresUpdate.nativeApp) {
-                message = tmpl `${"native app"}`;
-            }
-        }
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_VERSION_MISMATCH;
-        this.requiresUpdate = requiresUpdate;
-        if (versions) {
-            const { library, extension, nativeApp } = versions;
-            Object.assign(this, { library, extension, nativeApp });
-        }
-    }
-}
-
-class TlsConnectionBrokenError extends Error {
-    constructor(message = "TLS connection was broken") {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_TLS_CONNECTION_BROKEN;
-    }
-}
-
-class TlsConnectionInsecureError extends Error {
-    constructor(message = "TLS connection was insecure") {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_TLS_CONNECTION_INSECURE;
-    }
-}
-
-class TlsConnectionWeakError extends Error {
-    constructor(message = "TLS connection was weak") {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_TLS_CONNECTION_WEAK;
-    }
-}
-
-class ProtocolInsecureError extends Error {
-    constructor(message = "HTTPS required") {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_PROTOCOL_INSECURE;
-    }
-}
-
-class ActionTimeoutError extends Error {
-    constructor(message = "extension message timeout") {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_ACTION_TIMEOUT;
-    }
-}
-
-class VersionInvalidError extends Error {
-    constructor(message = "invalid version string") {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_VERSION_INVALID;
-    }
-}
-
-class ServerTimeoutError extends Error {
-    constructor(message = "server failed to respond in time") {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_SERVER_TIMEOUT;
-    }
-}
-
-class UnknownError extends Error {
-    constructor(message = "an unknown error occurred") {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_UNKNOWN_ERROR;
-    }
-}
-
-const errorCodeToErrorClass = {
-    [ErrorCode$1.ERR_WEBEID_ACTION_PENDING]: ActionPendingError,
-    [ErrorCode$1.ERR_WEBEID_ACTION_TIMEOUT]: ActionTimeoutError,
-    [ErrorCode$1.ERR_WEBEID_CERTIFICATE_CHANGED]: CertificateChangedError,
-    [ErrorCode$1.ERR_WEBEID_ORIGIN_MISMATCH]: OriginMismatchError,
-    [ErrorCode$1.ERR_WEBEID_CONTEXT_INSECURE]: ContextInsecureError,
-    [ErrorCode$1.ERR_WEBEID_EXTENSION_UNAVAILABLE]: ExtensionUnavailableError,
-    [ErrorCode$1.ERR_WEBEID_NATIVE_INVALID_ARGUMENT]: NativeInvalidArgumentError,
-    [ErrorCode$1.ERR_WEBEID_NATIVE_FATAL]: NativeFatalError,
-    [ErrorCode$1.ERR_WEBEID_NATIVE_UNAVAILABLE]: NativeUnavailableError,
-    [ErrorCode$1.ERR_WEBEID_PROTOCOL_INSECURE]: ProtocolInsecureError,
-    [ErrorCode$1.ERR_WEBEID_SERVER_REJECTED]: ServerRejectedError,
-    [ErrorCode$1.ERR_WEBEID_SERVER_TIMEOUT]: ServerTimeoutError,
-    [ErrorCode$1.ERR_WEBEID_TLS_CONNECTION_BROKEN]: TlsConnectionBrokenError,
-    [ErrorCode$1.ERR_WEBEID_TLS_CONNECTION_INSECURE]: TlsConnectionInsecureError,
-    [ErrorCode$1.ERR_WEBEID_TLS_CONNECTION_WEAK]: TlsConnectionWeakError,
-    [ErrorCode$1.ERR_WEBEID_USER_CANCELLED]: UserCancelledError,
-    [ErrorCode$1.ERR_WEBEID_USER_TIMEOUT]: UserTimeoutError,
-    [ErrorCode$1.ERR_WEBEID_VERSION_INVALID]: VersionInvalidError,
-    [ErrorCode$1.ERR_WEBEID_VERSION_MISMATCH]: VersionMismatchError,
-};
-function deserializeError(errorObject) {
-    let error;
-    if (typeof errorObject.code == "string" && errorObject.code in errorCodeToErrorClass) {
-        const CustomError = errorCodeToErrorClass[errorObject.code];
-        error = new CustomError();
-    }
-    else {
-        error = new UnknownError();
-    }
-    for (const [key, value] of Object.entries(errorObject)) {
-        error[key] = value;
-    }
-    return error;
-}
-
-class WebExtensionService {
-    constructor() {
-        this.queue = [];
-        window.addEventListener("message", (event) => this.receive(event));
-    }
-    receive(event) {
-        var _a, _b, _c, _d;
-        const message = event.data;
-        const suffix = (_b = (_a = message.action) === null || _a === void 0 ? void 0 : _a.match(/success$|failure$|ack$/)) === null || _b === void 0 ? void 0 : _b[0];
-        const initialAction = this.getInitialAction(message.action);
-        const pending = this.getPendingMessage(initialAction);
-        if (suffix === "ack") {
-            console.log("ack message", message);
-            console.log("ack pending", pending === null || pending === void 0 ? void 0 : pending.message.action);
-            console.log("ack queue", JSON.stringify(this.queue));
-        }
-        if (pending) {
-            switch (suffix) {
-                case "ack": {
-                    clearTimeout(pending.ackTimer);
-                    break;
-                }
-                case "success": {
-                    (_c = pending.resolve) === null || _c === void 0 ? void 0 : _c.call(pending, message);
-                    this.removeFromQueue(initialAction);
-                    break;
-                }
-                case "failure": {
-                    (_d = pending.reject) === null || _d === void 0 ? void 0 : _d.call(pending, message.error ? deserializeError(message.error) : message);
-                    this.removeFromQueue(initialAction);
-                    break;
-                }
-            }
-        }
-    }
-    send(message, timeout) {
-        if (this.getPendingMessage(message.action)) {
-            return Promise.reject(new ActionPendingError());
-        }
-        else if (!window.isSecureContext) {
-            return Promise.reject(new ContextInsecureError());
-        }
-        else {
-            const pending = { message };
-            this.queue.push(pending);
-            pending.promise = new Promise((resolve, reject) => {
-                pending.resolve = resolve;
-                pending.reject = reject;
-            });
-            pending.ackTimer = setTimeout(() => this.onAckTimeout(pending), config.EXTENSION_HANDSHAKE_TIMEOUT);
-            pending.replyTimer = setTimeout(() => this.onReplyTimeout(pending), timeout);
-            window.postMessage(message, "*");
-            return pending.promise;
-        }
-    }
-    onReplyTimeout(pending) {
-        var _a;
-        console.log("onReplyTimeout", pending.message.action);
-        (_a = pending.reject) === null || _a === void 0 ? void 0 : _a.call(pending, new ActionTimeoutError());
-        this.removeFromQueue(pending.message.action);
-    }
-    onAckTimeout(pending) {
-        var _a;
-        console.log("onAckTimeout", pending.message.action);
-        (_a = pending.reject) === null || _a === void 0 ? void 0 : _a.call(pending, new ExtensionUnavailableError());
-        clearTimeout(pending.replyTimer);
-    }
-    getPendingMessage(action) {
-        return this.queue.find((pm) => {
-            return pm.message.action === action;
-        });
-    }
-    getSuccessAction(action) {
-        return `${action}-success`;
-    }
-    getFailureAction(action) {
-        return `${action}-failure`;
-    }
-    getInitialAction(action) {
-        return action.replace(/-success$|-failure$|-ack$/, "");
-    }
-    removeFromQueue(action) {
-        const pending = this.getPendingMessage(action);
-        clearTimeout(pending === null || pending === void 0 ? void 0 : pending.replyTimer);
-        this.queue = this.queue.filter((pending) => (pending.message.action !== action));
-    }
-}
-
-const semverPattern = new RegExp("^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)" +
-    "(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$");
-var IdentifierDiff;
-(function (IdentifierDiff) {
-    IdentifierDiff[IdentifierDiff["NEWER"] = 1] = "NEWER";
-    IdentifierDiff[IdentifierDiff["SAME"] = 0] = "SAME";
-    IdentifierDiff[IdentifierDiff["OLDER"] = -1] = "OLDER";
-})(IdentifierDiff || (IdentifierDiff = {}));
-function parseSemver(string = "") {
-    const result = string.match(semverPattern);
-    const [, majorStr, minorStr, patchStr, rc, build] = result ? result : [];
-    const major = parseInt(majorStr, 10);
-    const minor = parseInt(minorStr, 10);
-    const patch = parseInt(patchStr, 10);
-    for (const indentifier of [major, minor, patch]) {
-        if (Number.isNaN(indentifier)) {
-            throw new VersionInvalidError(`Invalid SemVer string '${string}'`);
-        }
-    }
-    return { major, minor, patch, rc, build, string };
-}
-/**
- * Compares two Semver objects.
- *
- * @param {Semver} a First SemVer object
- * @param {Semver} b Second Semver object
- *
- * @returns {SemverDiff} Diff for major, minor and patch.
- */
-function compareSemver(a, b) {
-    return {
-        major: Math.sign(a.major - b.major),
-        minor: Math.sign(a.minor - b.minor),
-        patch: Math.sign(a.patch - b.patch),
-    };
-}
-
-/**
- * Checks if update is required.
- *
- * @param version Object containing SemVer version strings for library, extension and native app.
- *
- * @returns Object which specifies if the extension or native app should be updated.
- */
-function checkCompatibility(version) {
-    const library = parseSemver(version.library);
-    const extension = parseSemver(version.extension);
-    const nativeApp = parseSemver(version.nativeApp);
-    const extensionDiff = compareSemver(extension, library);
-    const nativeAppDiff = compareSemver(nativeApp, library);
-    return {
-        extension: extensionDiff.major === IdentifierDiff.OLDER,
-        nativeApp: nativeAppDiff.major === IdentifierDiff.OLDER,
-    };
-}
-/**
- * Checks an object if 'library', 'extension' or 'nativeApp' properties are present.
- * Values are not checked for SemVer validity.
- *
- * @param object Object which will be checked for version properties.
- *
- * @returns Were any of the version properties found in the provided object.
- */
-function hasVersionProperties(object) {
-    if (typeof object === "object") {
-        for (const prop of ["library", "extension", "nativeApp"]) {
-            if (Object.hasOwnProperty.call(object, prop))
-                return true;
-        }
-    }
-    return false;
-}
-
-class MissingParameterError extends Error {
-    constructor(message) {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_MISSING_PARAMETER;
-    }
-}
-
-function defer() {
-    return new Promise((resolve) => setTimeout(resolve));
-}
-
-const webExtensionService = new WebExtensionService();
-async function status() {
-    await defer(); // Give chrome a moment to load the extension content script
-    let statusResponse;
-    const library = config.VERSION;
-    const timeout = config.EXTENSION_HANDSHAKE_TIMEOUT + config.NATIVE_APP_HANDSHAKE_TIMEOUT;
-    const message = { action: Action$1.STATUS };
-    try {
-        statusResponse = await webExtensionService.send(message, timeout);
-    }
-    catch (error) {
-        error.library = library;
-        throw error;
-    }
-    const versions = { library, ...statusResponse };
-    const requiresUpdate = checkCompatibility(versions);
-    if (requiresUpdate.extension || requiresUpdate.nativeApp) {
-        throw new VersionMismatchError(undefined, versions, requiresUpdate);
-    }
-    return versions;
-}
-async function authenticate(options) {
-    await defer(); // Give chrome a moment to load the extension content script
-    if (typeof options != "object") {
-        throw new MissingParameterError("authenticate function requires an options object as parameter");
-    }
-    if (!options.getAuthChallengeUrl) {
-        throw new MissingParameterError("getAuthChallengeUrl missing from authenticate options");
-    }
-    if (!options.postAuthTokenUrl) {
-        throw new MissingParameterError("postAuthTokenUrl missing from authenticate options");
-    }
-    const timeout = (config.EXTENSION_HANDSHAKE_TIMEOUT +
-        config.NATIVE_APP_HANDSHAKE_TIMEOUT +
-        (options.serverRequestTimeout || config.DEFAULT_SERVER_REQUEST_TIMEOUT) * 2 +
-        (options.userInteractionTimeout || config.DEFAULT_USER_INTERACTION_TIMEOUT));
-    const message = { ...options, action: Action$1.AUTHENTICATE };
-    const result = await webExtensionService.send(message, timeout);
-    return result.response;
-}
-async function sign(options) {
-    await defer(); // Give chrome a moment to load the extension content script
-    if (typeof options != "object") {
-        throw new MissingParameterError("sign function requires an options object as parameter");
-    }
-    if (!options.postPrepareSigningUrl) {
-        throw new MissingParameterError("postPrepareSigningUrl missing from sign options");
-    }
-    if (!options.postFinalizeSigningUrl) {
-        throw new MissingParameterError("postFinalizeSigningUrl missing from sign options");
-    }
-    const timeout = (config.EXTENSION_HANDSHAKE_TIMEOUT +
-        config.NATIVE_APP_HANDSHAKE_TIMEOUT +
-        (options.serverRequestTimeout || config.DEFAULT_SERVER_REQUEST_TIMEOUT) * 2 +
-        (options.userInteractionTimeout || config.DEFAULT_USER_INTERACTION_TIMEOUT) * 2);
-    const message = { ...options, action: Action$1.SIGN };
-    const result = await webExtensionService.send(message, timeout);
-    return result.response;
-}
-
-export { Action$1 as Action, ErrorCode$1 as ErrorCode, authenticate, config, hasVersionProperties, sign, status };
diff --git a/example/src/main/resources/static/js/web-eid-1.0.1.js b/example/src/main/resources/static/js/web-eid-1.0.1.js
new file mode 100644
index 0000000..6244468
--- /dev/null
+++ b/example/src/main/resources/static/js/web-eid-1.0.1.js
@@ -0,0 +1,1135 @@
+/*
+ * Copyright (c) Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+var config = Object.freeze({
+    VERSION: "1.0.1",
+    EXTENSION_HANDSHAKE_TIMEOUT: 1000,
+    NATIVE_APP_HANDSHAKE_TIMEOUT: 5 * 1000,
+    DEFAULT_USER_INTERACTION_TIMEOUT: 2 * 60 * 1000,
+    DEFAULT_SERVER_REQUEST_TIMEOUT: 20 * 1000,
+});
+
+/*
+ * Copyright (c) Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+var ErrorCode;
+(function (ErrorCode) {
+    // Timeout errors
+    ErrorCode["ERR_WEBEID_ACTION_TIMEOUT"] = "ERR_WEBEID_ACTION_TIMEOUT";
+    ErrorCode["ERR_WEBEID_USER_TIMEOUT"] = "ERR_WEBEID_USER_TIMEOUT";
+    ErrorCode["ERR_WEBEID_SERVER_TIMEOUT"] = "ERR_WEBEID_SERVER_TIMEOUT";
+    // Health errors
+    ErrorCode["ERR_WEBEID_VERSION_MISMATCH"] = "ERR_WEBEID_VERSION_MISMATCH";
+    ErrorCode["ERR_WEBEID_VERSION_INVALID"] = "ERR_WEBEID_VERSION_INVALID";
+    ErrorCode["ERR_WEBEID_EXTENSION_UNAVAILABLE"] = "ERR_WEBEID_EXTENSION_UNAVAILABLE";
+    ErrorCode["ERR_WEBEID_NATIVE_UNAVAILABLE"] = "ERR_WEBEID_NATIVE_UNAVAILABLE";
+    ErrorCode["ERR_WEBEID_UNKNOWN_ERROR"] = "ERR_WEBEID_UNKNOWN_ERROR";
+    // Security errors
+    ErrorCode["ERR_WEBEID_CONTEXT_INSECURE"] = "ERR_WEBEID_CONTEXT_INSECURE";
+    ErrorCode["ERR_WEBEID_PROTOCOL_INSECURE"] = "ERR_WEBEID_PROTOCOL_INSECURE";
+    ErrorCode["ERR_WEBEID_TLS_CONNECTION_BROKEN"] = "ERR_WEBEID_TLS_CONNECTION_BROKEN";
+    ErrorCode["ERR_WEBEID_TLS_CONNECTION_INSECURE"] = "ERR_WEBEID_TLS_CONNECTION_INSECURE";
+    ErrorCode["ERR_WEBEID_TLS_CONNECTION_WEAK"] = "ERR_WEBEID_TLS_CONNECTION_WEAK";
+    ErrorCode["ERR_WEBEID_CERTIFICATE_CHANGED"] = "ERR_WEBEID_CERTIFICATE_CHANGED";
+    ErrorCode["ERR_WEBEID_ORIGIN_MISMATCH"] = "ERR_WEBEID_ORIGIN_MISMATCH";
+    // Third party errors
+    ErrorCode["ERR_WEBEID_SERVER_REJECTED"] = "ERR_WEBEID_SERVER_REJECTED";
+    ErrorCode["ERR_WEBEID_USER_CANCELLED"] = "ERR_WEBEID_USER_CANCELLED";
+    ErrorCode["ERR_WEBEID_NATIVE_INVALID_ARGUMENT"] = "ERR_WEBEID_NATIVE_INVALID_ARGUMENT";
+    ErrorCode["ERR_WEBEID_NATIVE_FATAL"] = "ERR_WEBEID_NATIVE_FATAL";
+    // Developer mistakes
+    ErrorCode["ERR_WEBEID_ACTION_PENDING"] = "ERR_WEBEID_ACTION_PENDING";
+    ErrorCode["ERR_WEBEID_MISSING_PARAMETER"] = "ERR_WEBEID_MISSING_PARAMETER";
+})(ErrorCode || (ErrorCode = {}));
+var ErrorCode$1 = ErrorCode;
+
+/*
+ * Copyright (c) Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+var Action;
+(function (Action) {
+    Action["STATUS"] = "web-eid:status";
+    Action["STATUS_ACK"] = "web-eid:status-ack";
+    Action["STATUS_SUCCESS"] = "web-eid:status-success";
+    Action["STATUS_FAILURE"] = "web-eid:status-failure";
+    Action["AUTHENTICATE"] = "web-eid:authenticate";
+    Action["AUTHENTICATE_ACK"] = "web-eid:authenticate-ack";
+    Action["AUTHENTICATE_SUCCESS"] = "web-eid:authenticate-success";
+    Action["AUTHENTICATE_FAILURE"] = "web-eid:authenticate-failure";
+    Action["SIGN"] = "web-eid:sign";
+    Action["SIGN_ACK"] = "web-eid:sign-ack";
+    Action["SIGN_SUCCESS"] = "web-eid:sign-success";
+    Action["SIGN_FAILURE"] = "web-eid:sign-failure";
+})(Action || (Action = {}));
+var Action$1 = Action;
+
+/*
+ * Copyright (c) Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+class CertificateChangedError extends Error {
+    constructor(message = "server certificate changed between requests") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_CERTIFICATE_CHANGED;
+    }
+}
+
+/*
+ * Copyright (c) Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+class OriginMismatchError extends Error {
+    constructor(message = "URLs for a single operation require the same origin") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_ORIGIN_MISMATCH;
+    }
+}
+
+/*
+ * Copyright (c) Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+const SECURE_CONTEXTS_INFO_URL = "https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts";
+class ContextInsecureError extends Error {
+    constructor(message = "Secure context required, see " + SECURE_CONTEXTS_INFO_URL) {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_CONTEXT_INSECURE;
+    }
+}
+
+/*
+ * Copyright (c) Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+class ExtensionUnavailableError extends Error {
+    constructor(message = "Web-eID extension is not available") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_EXTENSION_UNAVAILABLE;
+    }
+}
+
+/*
+ * Copyright (c) Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+class ActionPendingError extends Error {
+    constructor(message = "same action for Web-eID browser extension is already pending") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_ACTION_PENDING;
+    }
+}
+
+/*
+ * Copyright (c) Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+class NativeInvalidArgumentError extends Error {
+    constructor(message = "native application received an invalid argument") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_NATIVE_INVALID_ARGUMENT;
+    }
+}
+
+/*
+ * Copyright (c) Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+class NativeFatalError extends Error {
+    constructor(message = "native application terminated with a fatal error") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_NATIVE_FATAL;
+    }
+}
+
+/*
+ * Copyright (c) Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+class NativeUnavailableError extends Error {
+    constructor(message = "Web-eID native application is not available") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_NATIVE_UNAVAILABLE;
+    }
+}
+
+/*
+ * Copyright (c) Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+class ServerRejectedError extends Error {
+    constructor(message = "server rejected the request") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_SERVER_REJECTED;
+    }
+}
+
+/*
+ * Copyright (c) Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+class UserTimeoutError extends Error {
+    constructor(message = "user failed to respond in time") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_USER_TIMEOUT;
+    }
+}
+
+/*
+ * Copyright (c) Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+class UserCancelledError extends Error {
+    constructor(message = "request was cancelled by the user") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_USER_CANCELLED;
+    }
+}
+
+/*
+ * Copyright (c) Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+function tmpl(strings, requiresUpdate) {
+    return `Update required for Web-eID ${requiresUpdate}`;
+}
+class VersionMismatchError extends Error {
+    constructor(message, versions, requiresUpdate) {
+        if (!message) {
+            if (!requiresUpdate) {
+                message = "requiresUpdate not provided";
+            }
+            else if (requiresUpdate.extension && requiresUpdate.nativeApp) {
+                message = tmpl `${"extension and native app"}`;
+            }
+            else if (requiresUpdate.extension) {
+                message = tmpl `${"extension"}`;
+            }
+            else if (requiresUpdate.nativeApp) {
+                message = tmpl `${"native app"}`;
+            }
+        }
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_VERSION_MISMATCH;
+        this.requiresUpdate = requiresUpdate;
+        if (versions) {
+            const { library, extension, nativeApp } = versions;
+            Object.assign(this, { library, extension, nativeApp });
+        }
+    }
+}
+
+/*
+ * Copyright (c) Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+class TlsConnectionBrokenError extends Error {
+    constructor(message = "TLS connection was broken") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_TLS_CONNECTION_BROKEN;
+    }
+}
+
+/*
+ * Copyright (c) Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+class TlsConnectionInsecureError extends Error {
+    constructor(message = "TLS connection was insecure") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_TLS_CONNECTION_INSECURE;
+    }
+}
+
+/*
+ * Copyright (c) Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+class TlsConnectionWeakError extends Error {
+    constructor(message = "TLS connection was weak") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_TLS_CONNECTION_WEAK;
+    }
+}
+
+/*
+ * Copyright (c) Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+class ProtocolInsecureError extends Error {
+    constructor(message = "HTTPS required") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_PROTOCOL_INSECURE;
+    }
+}
+
+/*
+ * Copyright (c) Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+class ActionTimeoutError extends Error {
+    constructor(message = "extension message timeout") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_ACTION_TIMEOUT;
+    }
+}
+
+/*
+ * Copyright (c) Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+class VersionInvalidError extends Error {
+    constructor(message = "invalid version string") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_VERSION_INVALID;
+    }
+}
+
+/*
+ * Copyright (c) Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+class ServerTimeoutError extends Error {
+    constructor(message = "server failed to respond in time") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_SERVER_TIMEOUT;
+    }
+}
+
+/*
+ * Copyright (c) Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+class UnknownError extends Error {
+    constructor(message = "an unknown error occurred") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_UNKNOWN_ERROR;
+    }
+}
+
+/*
+ * Copyright (c) Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+const errorCodeToErrorClass = {
+    [ErrorCode$1.ERR_WEBEID_ACTION_PENDING]: ActionPendingError,
+    [ErrorCode$1.ERR_WEBEID_ACTION_TIMEOUT]: ActionTimeoutError,
+    [ErrorCode$1.ERR_WEBEID_CERTIFICATE_CHANGED]: CertificateChangedError,
+    [ErrorCode$1.ERR_WEBEID_ORIGIN_MISMATCH]: OriginMismatchError,
+    [ErrorCode$1.ERR_WEBEID_CONTEXT_INSECURE]: ContextInsecureError,
+    [ErrorCode$1.ERR_WEBEID_EXTENSION_UNAVAILABLE]: ExtensionUnavailableError,
+    [ErrorCode$1.ERR_WEBEID_NATIVE_INVALID_ARGUMENT]: NativeInvalidArgumentError,
+    [ErrorCode$1.ERR_WEBEID_NATIVE_FATAL]: NativeFatalError,
+    [ErrorCode$1.ERR_WEBEID_NATIVE_UNAVAILABLE]: NativeUnavailableError,
+    [ErrorCode$1.ERR_WEBEID_PROTOCOL_INSECURE]: ProtocolInsecureError,
+    [ErrorCode$1.ERR_WEBEID_SERVER_REJECTED]: ServerRejectedError,
+    [ErrorCode$1.ERR_WEBEID_SERVER_TIMEOUT]: ServerTimeoutError,
+    [ErrorCode$1.ERR_WEBEID_TLS_CONNECTION_BROKEN]: TlsConnectionBrokenError,
+    [ErrorCode$1.ERR_WEBEID_TLS_CONNECTION_INSECURE]: TlsConnectionInsecureError,
+    [ErrorCode$1.ERR_WEBEID_TLS_CONNECTION_WEAK]: TlsConnectionWeakError,
+    [ErrorCode$1.ERR_WEBEID_USER_CANCELLED]: UserCancelledError,
+    [ErrorCode$1.ERR_WEBEID_USER_TIMEOUT]: UserTimeoutError,
+    [ErrorCode$1.ERR_WEBEID_VERSION_INVALID]: VersionInvalidError,
+    [ErrorCode$1.ERR_WEBEID_VERSION_MISMATCH]: VersionMismatchError,
+};
+function deserializeError(errorObject) {
+    let error;
+    if (typeof errorObject.code == "string" && errorObject.code in errorCodeToErrorClass) {
+        const CustomError = errorCodeToErrorClass[errorObject.code];
+        error = new CustomError();
+    }
+    else {
+        error = new UnknownError();
+    }
+    for (const [key, value] of Object.entries(errorObject)) {
+        error[key] = value;
+    }
+    return error;
+}
+
+/*
+ * Copyright (c) Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+class WebExtensionService {
+    constructor() {
+        this.queue = [];
+        window.addEventListener("message", (event) => this.receive(event));
+    }
+    receive(event) {
+        var _a, _b, _c, _d, _e;
+        if (!/^web-eid:/.test((_a = event.data) === null || _a === void 0 ? void 0 : _a.action))
+            return;
+        const message = event.data;
+        const suffix = (_c = (_b = message.action) === null || _b === void 0 ? void 0 : _b.match(/success$|failure$|ack$/)) === null || _c === void 0 ? void 0 : _c[0];
+        const initialAction = this.getInitialAction(message.action);
+        const pending = this.getPendingMessage(initialAction);
+        if (suffix === "ack") {
+            console.log("ack message", message);
+            console.log("ack pending", pending === null || pending === void 0 ? void 0 : pending.message.action);
+            console.log("ack queue", JSON.stringify(this.queue));
+        }
+        if (pending) {
+            switch (suffix) {
+                case "ack": {
+                    clearTimeout(pending.ackTimer);
+                    break;
+                }
+                case "success": {
+                    (_d = pending.resolve) === null || _d === void 0 ? void 0 : _d.call(pending, message);
+                    this.removeFromQueue(initialAction);
+                    break;
+                }
+                case "failure": {
+                    (_e = pending.reject) === null || _e === void 0 ? void 0 : _e.call(pending, message.error ? deserializeError(message.error) : message);
+                    this.removeFromQueue(initialAction);
+                    break;
+                }
+            }
+        }
+    }
+    send(message, timeout) {
+        if (this.getPendingMessage(message.action)) {
+            return Promise.reject(new ActionPendingError());
+        }
+        else if (!window.isSecureContext) {
+            return Promise.reject(new ContextInsecureError());
+        }
+        else {
+            const pending = { message };
+            this.queue.push(pending);
+            pending.promise = new Promise((resolve, reject) => {
+                pending.resolve = resolve;
+                pending.reject = reject;
+            });
+            pending.ackTimer = setTimeout(() => this.onAckTimeout(pending), config.EXTENSION_HANDSHAKE_TIMEOUT);
+            pending.replyTimer = setTimeout(() => this.onReplyTimeout(pending), timeout);
+            window.postMessage(message, "*");
+            return pending.promise;
+        }
+    }
+    onReplyTimeout(pending) {
+        var _a;
+        console.log("onReplyTimeout", pending.message.action);
+        (_a = pending.reject) === null || _a === void 0 ? void 0 : _a.call(pending, new ActionTimeoutError());
+        this.removeFromQueue(pending.message.action);
+    }
+    onAckTimeout(pending) {
+        var _a;
+        console.log("onAckTimeout", pending.message.action);
+        (_a = pending.reject) === null || _a === void 0 ? void 0 : _a.call(pending, new ExtensionUnavailableError());
+        clearTimeout(pending.replyTimer);
+    }
+    getPendingMessage(action) {
+        return this.queue.find((pm) => {
+            return pm.message.action === action;
+        });
+    }
+    getInitialAction(action) {
+        return action.replace(/-success$|-failure$|-ack$/, "");
+    }
+    removeFromQueue(action) {
+        const pending = this.getPendingMessage(action);
+        clearTimeout(pending === null || pending === void 0 ? void 0 : pending.replyTimer);
+        this.queue = this.queue.filter((pending) => (pending.message.action !== action));
+    }
+}
+
+/*
+ * Copyright (c) Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+const semverPattern = new RegExp("^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)" +
+    "(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$");
+var IdentifierDiff;
+(function (IdentifierDiff) {
+    IdentifierDiff[IdentifierDiff["NEWER"] = 1] = "NEWER";
+    IdentifierDiff[IdentifierDiff["SAME"] = 0] = "SAME";
+    IdentifierDiff[IdentifierDiff["OLDER"] = -1] = "OLDER";
+})(IdentifierDiff || (IdentifierDiff = {}));
+function parseSemver(string = "") {
+    const result = string.match(semverPattern);
+    const [, majorStr, minorStr, patchStr, rc, build] = result ? result : [];
+    const major = parseInt(majorStr, 10);
+    const minor = parseInt(minorStr, 10);
+    const patch = parseInt(patchStr, 10);
+    for (const indentifier of [major, minor, patch]) {
+        if (Number.isNaN(indentifier)) {
+            throw new VersionInvalidError(`Invalid SemVer string '${string}'`);
+        }
+    }
+    return { major, minor, patch, rc, build, string };
+}
+/**
+ * Compares two Semver objects.
+ *
+ * @param {Semver} a First SemVer object
+ * @param {Semver} b Second Semver object
+ *
+ * @returns {SemverDiff} Diff for major, minor and patch.
+ */
+function compareSemver(a, b) {
+    return {
+        major: Math.sign(a.major - b.major),
+        minor: Math.sign(a.minor - b.minor),
+        patch: Math.sign(a.patch - b.patch),
+    };
+}
+
+/*
+ * Copyright (c) Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+/**
+ * Checks if update is required.
+ *
+ * @param version Object containing SemVer version strings for library, extension and native app.
+ *
+ * @returns Object which specifies if the extension or native app should be updated.
+ */
+function checkCompatibility(version) {
+    const library = parseSemver(version.library);
+    const extension = parseSemver(version.extension);
+    const nativeApp = parseSemver(version.nativeApp);
+    const extensionDiff = compareSemver(extension, library);
+    const nativeAppDiff = compareSemver(nativeApp, library);
+    return {
+        extension: extensionDiff.major === IdentifierDiff.OLDER,
+        nativeApp: nativeAppDiff.major === IdentifierDiff.OLDER,
+    };
+}
+/**
+ * Checks an object if 'library', 'extension' or 'nativeApp' properties are present.
+ * Values are not checked for SemVer validity.
+ *
+ * @param object Object which will be checked for version properties.
+ *
+ * @returns Were any of the version properties found in the provided object.
+ */
+function hasVersionProperties(object) {
+    if (typeof object === "object") {
+        for (const prop of ["library", "extension", "nativeApp"]) {
+            if (Object.hasOwnProperty.call(object, prop))
+                return true;
+        }
+    }
+    return false;
+}
+
+/*
+ * Copyright (c) Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+class MissingParameterError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_MISSING_PARAMETER;
+    }
+}
+
+/*
+ * Copyright (c) Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+function defer() {
+    return new Promise((resolve) => setTimeout(resolve));
+}
+
+/*
+ * Copyright (c) Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+const webExtensionService = new WebExtensionService();
+async function status() {
+    await defer(); // Give chrome a moment to load the extension content script
+    let statusResponse;
+    const library = config.VERSION;
+    const timeout = config.EXTENSION_HANDSHAKE_TIMEOUT + config.NATIVE_APP_HANDSHAKE_TIMEOUT;
+    const message = { action: Action$1.STATUS };
+    try {
+        statusResponse = await webExtensionService.send(message, timeout);
+    }
+    catch (error) {
+        error.library = library;
+        throw error;
+    }
+    const versions = { library, ...statusResponse };
+    const requiresUpdate = checkCompatibility(versions);
+    if (requiresUpdate.extension || requiresUpdate.nativeApp) {
+        throw new VersionMismatchError(undefined, versions, requiresUpdate);
+    }
+    return versions;
+}
+async function authenticate(options) {
+    await defer(); // Give chrome a moment to load the extension content script
+    if (typeof options != "object") {
+        throw new MissingParameterError("authenticate function requires an options object as parameter");
+    }
+    if (!options.getAuthChallengeUrl) {
+        throw new MissingParameterError("getAuthChallengeUrl missing from authenticate options");
+    }
+    if (!options.postAuthTokenUrl) {
+        throw new MissingParameterError("postAuthTokenUrl missing from authenticate options");
+    }
+    const timeout = (config.EXTENSION_HANDSHAKE_TIMEOUT +
+        config.NATIVE_APP_HANDSHAKE_TIMEOUT +
+        (options.serverRequestTimeout || config.DEFAULT_SERVER_REQUEST_TIMEOUT) * 2 +
+        (options.userInteractionTimeout || config.DEFAULT_USER_INTERACTION_TIMEOUT));
+    const message = { ...options, action: Action$1.AUTHENTICATE };
+    const result = await webExtensionService.send(message, timeout);
+    return result.response;
+}
+async function sign(options) {
+    await defer(); // Give chrome a moment to load the extension content script
+    if (typeof options != "object") {
+        throw new MissingParameterError("sign function requires an options object as parameter");
+    }
+    if (!options.postPrepareSigningUrl) {
+        throw new MissingParameterError("postPrepareSigningUrl missing from sign options");
+    }
+    if (!options.postFinalizeSigningUrl) {
+        throw new MissingParameterError("postFinalizeSigningUrl missing from sign options");
+    }
+    const timeout = (config.EXTENSION_HANDSHAKE_TIMEOUT +
+        config.NATIVE_APP_HANDSHAKE_TIMEOUT +
+        (options.serverRequestTimeout || config.DEFAULT_SERVER_REQUEST_TIMEOUT) * 2 +
+        (options.userInteractionTimeout || config.DEFAULT_USER_INTERACTION_TIMEOUT) * 2);
+    const message = { ...options, action: Action$1.SIGN };
+    const result = await webExtensionService.send(message, timeout);
+    return result.response;
+}
+
+export { Action$1 as Action, ErrorCode$1 as ErrorCode, authenticate, config, hasVersionProperties, sign, status };
diff --git a/example/src/main/resources/templates/index.html b/example/src/main/resources/templates/index.html
index 5592aae..1ec14a4 100644
--- a/example/src/main/resources/templates/index.html
+++ b/example/src/main/resources/templates/index.html
@@ -46,8 +46,7 @@ <h4>Table of contents</h4>
             <hr/>
             <h3><a id="usage"></a>Usage</h3>
             <p>
-                Instructions for installing and testing version 1.0.0 in Firefox, Chrome or Edge
-                (Safari support on macOS will also be available shortly):
+                Instructions for installing and testing the latest version in Firefox, Chrome, Edge or Safari:
             </p>
             <ol>
                 <li>
@@ -61,6 +60,9 @@ <h3><a id="usage"></a>Usage</h3>
                         <li>on <b>macOS</b> 10.15 or later, for Firefox and Chrome from <a
                                 href="https://installer.id.ee/media/web-eid/web-eid_1.0.0.525.dmg">here</a>,
                         </li>
+                        <li>on <b>macOS</b> 10.15 or later, for Safari, install the extension from <a
+                                href="https://apps.apple.com/ee/app/web-eid/id1576665083?mt=12">App Store</a>,
+                        </li>
                         <li>on <b>Windows</b> 10 (64-bit), for Firefox, Chrome and Edge from <a
                                 href="https://installer.id.ee/media/web-eid/web-eid_1.0.0.527.exe">here</a>.
                         </li>
@@ -129,8 +131,9 @@ <h4>Debugging and logs</h4>
                             <code>defaults write \</code><br>
                             <code>&nbsp;&nbsp;"$HOME/Library/Containers/eu.web-eid.web-eid/Data/Library/Preferences/eu.web-eid.web-eid.plist"
                                 \</code><br>
-                            <code>&nbsp;&nbsp;logging true</code><!-- <br>
-                            <code>defaults write "$HOME/Library/Containers/eu.web-eid.web-eid-safari/Data/Library/Preferences/eu.web-eid.web-eid-safari.plist" true</code> -->
+                            <code>&nbsp;&nbsp;logging true</code><br>
+                            <code>defaults write "$HOME/Library/Containers/eu.web-eid.web-eid-safari/Data/Library/Preferences/eu.web-eid.web-eid-safari.plist" \</code><br>
+                            <code>&nbsp;&nbsp;logging true</code><br>
                         </li>
                         <li>in Windows, add the following registry key:<br>
                             <code>[HKEY_CURRENT_USER\SOFTWARE\RIA\web-eid]</code><br>
@@ -145,9 +148,9 @@ <h4>Debugging and logs</h4>
                         <li><code>~/Library/Containers/eu.web-eid.web-eid/Data/Library/Application\
                             Support/RIA/web-eid/web-eid.log</code> in macOS
                         </li>
-                        <!-- <li><code>~/Library/Containers/eu.web-eid.web-eid-safari/Data/Library/Application\
+                        <li><code>~/Library/Containers/eu.web-eid.web-eid-safari/Data/Library/Application\
                            Support/RIA/web-eid-safari/web-eid-safari.log</code> of Safari in macOS
-                        </li> -->
+                        </li>
                         <li>
                             <code>C:/Users/&lt;USER&gt;/AppData/Local/RIA/web-eid/web-eid.log</code> in Windows.
                         </li>
@@ -209,7 +212,7 @@ <h3><a id="for-developers"></a>For developers</h3>
 
 <script type="module">
     "use strict";
-    import * as webeid from "/js/web-eid-1.0.0.js";
+    import * as webeid from "/js/web-eid-1.0.1.js";
     import {hideErrorMessage, showErrorMessage} from "/js/error-message.js";
 
     hideErrorMessage();
diff --git a/example/src/main/resources/templates/welcome-with-file-upload-support.html b/example/src/main/resources/templates/welcome-with-file-upload-support.html
index 9920e7b..ed815e6 100644
--- a/example/src/main/resources/templates/welcome-with-file-upload-support.html
+++ b/example/src/main/resources/templates/welcome-with-file-upload-support.html
@@ -37,7 +37,7 @@ <h2 class="adding-signature">Sign a document</h2>
 
         <script type="module">
             "use strict";
-            import * as webeid from "/js/web-eid-1.0.0.js";
+            import * as webeid from "/js/web-eid-1.0.1.js";
             import { hideErrorMessage, showErrorMessage } from "/js/error-message.js";
 
             const signButton = document.querySelector("#webeid-sign-button");
diff --git a/example/src/main/resources/templates/welcome.html b/example/src/main/resources/templates/welcome.html
index de28257..eeb07ec 100644
--- a/example/src/main/resources/templates/welcome.html
+++ b/example/src/main/resources/templates/welcome.html
@@ -50,7 +50,7 @@ <h2 class="adding-signature">Digital signing</h2>
 
 <script type="module">
     "use strict";
-    import * as webeid from "/js/web-eid-1.0.0.js";
+    import * as webeid from "/js/web-eid-1.0.1.js";
     import {hideErrorMessage, showErrorMessage} from "/js/error-message.js";
 
     const signButton = document.querySelector("#webeid-sign-button");

From bcabac762b03ef3bce6f81ff3e75810c29f186d1 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Tue, 16 Nov 2021 15:40:20 +0200
Subject: [PATCH 046/116] feat: migrate to authtoken-validation v2, add
 session-backed challenge nonce store

WE2-608

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 example/docker-compose.yml                    |    2 +-
 example/pom.xml                               |   24 +-
 .../WebEidSpringbootExampleApplication.java   |    2 +-
 .../config/ApplicationConfiguration.java      |    6 +-
 .../config/SameSiteCookieConfiguration.java   |    2 +-
 .../SessionBackedChallengeNonceStore.java     |   37 +
 .../config/ValidationConfiguration.java       |   65 +-
 .../webeid/example/config/YAMLConfig.java     |   19 +-
 .../AuthTokenDTOAuthenticationProvider.java   |   31 +-
 .../WebEidAjaxLoginProcessingFilter.java      |    9 +-
 .../security/WebEidAuthentication.java        |    4 +-
 .../AjaxAuthenticationFailureHandler.java     |    2 +-
 .../AjaxAuthenticationSuccessHandler.java     |    2 +-
 .../example/security/dto/AuthTokenDTO.java    |    9 +-
 .../example/service/SigningService.java       |   20 +-
 .../example/service/dto/CertificateDTO.java   |   17 +-
 .../example/service/dto/ChallengeDTO.java     |    2 +-
 .../webeid/example/service/dto/DigestDTO.java |   12 +-
 .../webeid/example/service/dto/FileDTO.java   |    2 +-
 .../service/dto/SignatureAlgorithmDTO.java    |    2 +-
 .../example/service/dto/SignatureDTO.java     |   22 +-
 .../webeid/example/web/WelcomeController.java |   11 +-
 .../example/web/rest/ChallengeController.java |   14 +-
 .../example/web/rest/SigningController.java   |   14 +-
 .../static/js/{error-message.js => errors.js} |   14 +
 .../main/resources/static/js/web-eid-1.0.1.js | 1135 -----------------
 .../src/main/resources/static/js/web-eid.js   |  431 +++++++
 .../src/main/resources/templates/index.html   |   55 +-
 .../welcome-with-file-upload-support.html     |    4 +-
 .../src/main/resources/templates/welcome.html |   52 +-
 .../AuthenticationRestControllerTest.java     |    6 +-
 .../webeid/example/DateMockingTest.java       |    4 +-
 .../webeid/example/WebApplicationTest.java    |   33 +-
 .../WebEidAjaxLoginProcessingFilterTest.java  |   39 +
 .../webeid/example/testutil/Dates.java        |    2 +-
 .../webeid/example/testutil/HttpHelper.java   |    8 +-
 .../webeid/example/testutil/ObjectMother.java |   52 +-
 .../org/webeid/example/testutil/Tokens.java   |   29 -
 .../src/test/resources/application-dev.yaml   |    4 +
 39 files changed, 775 insertions(+), 1423 deletions(-)
 rename example/src/main/java/{org => eu}/webeid/example/WebEidSpringbootExampleApplication.java (98%)
 rename example/src/main/java/{org => eu}/webeid/example/config/ApplicationConfiguration.java (95%)
 rename example/src/main/java/{org => eu}/webeid/example/config/SameSiteCookieConfiguration.java (98%)
 create mode 100644 example/src/main/java/eu/webeid/example/config/SessionBackedChallengeNonceStore.java
 rename example/src/main/java/{org => eu}/webeid/example/config/ValidationConfiguration.java (71%)
 rename example/src/main/java/{org => eu}/webeid/example/config/YAMLConfig.java (84%)
 rename example/src/main/java/{org => eu}/webeid/example/security/AuthTokenDTOAuthenticationProvider.java (76%)
 rename example/src/main/java/{org => eu}/webeid/example/security/WebEidAjaxLoginProcessingFilter.java (94%)
 rename example/src/main/java/{org => eu}/webeid/example/security/WebEidAuthentication.java (96%)
 rename example/src/main/java/{org => eu}/webeid/example/security/ajax/AjaxAuthenticationFailureHandler.java (98%)
 rename example/src/main/java/{org => eu}/webeid/example/security/ajax/AjaxAuthenticationSuccessHandler.java (98%)
 rename example/src/main/java/{org => eu}/webeid/example/security/dto/AuthTokenDTO.java (85%)
 rename example/src/main/java/{org => eu}/webeid/example/service/SigningService.java (94%)
 rename example/src/main/java/{org => eu}/webeid/example/service/dto/CertificateDTO.java (86%)
 rename example/src/main/java/{org => eu}/webeid/example/service/dto/ChallengeDTO.java (97%)
 rename example/src/main/java/{org => eu}/webeid/example/service/dto/DigestDTO.java (84%)
 rename example/src/main/java/{org => eu}/webeid/example/service/dto/FileDTO.java (98%)
 rename example/src/main/java/{org => eu}/webeid/example/service/dto/SignatureAlgorithmDTO.java (98%)
 rename example/src/main/java/{org => eu}/webeid/example/service/dto/SignatureDTO.java (79%)
 rename example/src/main/java/{org => eu}/webeid/example/web/WelcomeController.java (94%)
 rename example/src/main/java/{org => eu}/webeid/example/web/rest/ChallengeController.java (77%)
 rename example/src/main/java/{org => eu}/webeid/example/web/rest/SigningController.java (89%)
 rename example/src/main/resources/static/js/{error-message.js => errors.js} (83%)
 delete mode 100644 example/src/main/resources/static/js/web-eid-1.0.1.js
 create mode 100644 example/src/main/resources/static/js/web-eid.js
 rename example/src/test/java/{org => eu}/webeid/example/AuthenticationRestControllerTest.java (91%)
 rename example/src/test/java/{org => eu}/webeid/example/DateMockingTest.java (95%)
 rename example/src/test/java/{org => eu}/webeid/example/WebApplicationTest.java (83%)
 create mode 100644 example/src/test/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilterTest.java
 rename example/src/test/java/{org => eu}/webeid/example/testutil/Dates.java (97%)
 rename example/src/test/java/{org => eu}/webeid/example/testutil/HttpHelper.java (95%)
 rename example/src/test/java/{org => eu}/webeid/example/testutil/ObjectMother.java (61%)
 delete mode 100644 example/src/test/java/org/webeid/example/testutil/Tokens.java
 create mode 100644 example/src/test/resources/application-dev.yaml

diff --git a/example/docker-compose.yml b/example/docker-compose.yml
index d415e6a..c7231bf 100644
--- a/example/docker-compose.yml
+++ b/example/docker-compose.yml
@@ -1,7 +1,7 @@
 version: '2'
 services:
   web-eid-springboot-example:
-    image: web-eid-springboot-example:1.0.0-SNAPSHOT
+    image: web-eid-springboot-example:2.0.0-SNAPSHOT
     restart: always
     environment:
       JAVA_TOOL_OPTIONS: '-Dspring.profiles.active=prod'
diff --git a/example/pom.xml b/example/pom.xml
index 15d503b..17046f7 100644
--- a/example/pom.xml
+++ b/example/pom.xml
@@ -10,7 +10,7 @@
 	</parent>
 	<groupId>org.webeid.example</groupId>
 	<artifactId>web-eid-springboot-example</artifactId>
-	<version>1.0.0-SNAPSHOT</version>
+	<version>2.0.0-SNAPSHOT</version>
 	<name>web-eid-springboot-example</name>
 	<description>Example Spring Boot project that demonstrates how to use Web eID for authentication and digital
 		signing
@@ -20,7 +20,7 @@
 		<java.version>1.8</java.version>
 		<maven-surefire-plugin.version>2.22.1</maven-surefire-plugin.version>
 		<caffeine.version>2.8.5</caffeine.version>
-		<webeid.version>1.2.0</webeid.version>
+		<webeid.version>2.0.0</webeid.version>
 		<jmockit.version>1.44</jmockit.version>
 	</properties>
 
@@ -33,10 +33,6 @@
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-thymeleaf</artifactId>
 		</dependency>
-		<dependency>
-			<groupId>org.springframework.boot</groupId>
-			<artifactId>spring-boot-starter-cache</artifactId>
-		</dependency>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-security</artifactId>
@@ -46,22 +42,6 @@
 			<artifactId>spring-security-config</artifactId>
 		</dependency>
 
-		<dependency>
-			<groupId>javax.cache</groupId>
-			<artifactId>cache-api</artifactId>
-			<version>1.1.1</version>
-		</dependency>
-		<dependency>
-			<groupId>com.github.ben-manes.caffeine</groupId>
-			<artifactId>caffeine</artifactId>
-			<version>${caffeine.version}</version>
-		</dependency>
-		<dependency>
-			<groupId>com.github.ben-manes.caffeine</groupId>
-			<artifactId>jcache</artifactId>
-			<version>${caffeine.version}</version>
-		</dependency>
-
 		<dependency>
 			<groupId>com.google.guava</groupId>
 			<artifactId>guava</artifactId>
diff --git a/example/src/main/java/org/webeid/example/WebEidSpringbootExampleApplication.java b/example/src/main/java/eu/webeid/example/WebEidSpringbootExampleApplication.java
similarity index 98%
rename from example/src/main/java/org/webeid/example/WebEidSpringbootExampleApplication.java
rename to example/src/main/java/eu/webeid/example/WebEidSpringbootExampleApplication.java
index 12c43dc..8336b75 100644
--- a/example/src/main/java/org/webeid/example/WebEidSpringbootExampleApplication.java
+++ b/example/src/main/java/eu/webeid/example/WebEidSpringbootExampleApplication.java
@@ -20,7 +20,7 @@
  * SOFTWARE.
  */
 
-package org.webeid.example;
+package eu.webeid.example;
 
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
diff --git a/example/src/main/java/org/webeid/example/config/ApplicationConfiguration.java b/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java
similarity index 95%
rename from example/src/main/java/org/webeid/example/config/ApplicationConfiguration.java
rename to example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java
index e77b4c8..d29add3 100644
--- a/example/src/main/java/org/webeid/example/config/ApplicationConfiguration.java
+++ b/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java
@@ -20,8 +20,10 @@
  * SOFTWARE.
  */
 
-package org.webeid.example.config;
+package eu.webeid.example.config;
 
+import eu.webeid.example.security.AuthTokenDTOAuthenticationProvider;
+import eu.webeid.example.security.WebEidAjaxLoginProcessingFilter;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
@@ -32,8 +34,6 @@
 import org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler;
 import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
-import org.webeid.example.security.AuthTokenDTOAuthenticationProvider;
-import org.webeid.example.security.WebEidAjaxLoginProcessingFilter;
 
 @Configuration
 @EnableWebSecurity
diff --git a/example/src/main/java/org/webeid/example/config/SameSiteCookieConfiguration.java b/example/src/main/java/eu/webeid/example/config/SameSiteCookieConfiguration.java
similarity index 98%
rename from example/src/main/java/org/webeid/example/config/SameSiteCookieConfiguration.java
rename to example/src/main/java/eu/webeid/example/config/SameSiteCookieConfiguration.java
index f735424..4803cf9 100644
--- a/example/src/main/java/org/webeid/example/config/SameSiteCookieConfiguration.java
+++ b/example/src/main/java/eu/webeid/example/config/SameSiteCookieConfiguration.java
@@ -20,7 +20,7 @@
  * SOFTWARE.
  */
 
-package org.webeid.example.config;
+package eu.webeid.example.config;
 
 import org.apache.tomcat.util.http.Rfc6265CookieProcessor;
 import org.springframework.boot.web.embedded.tomcat.TomcatContextCustomizer;
diff --git a/example/src/main/java/eu/webeid/example/config/SessionBackedChallengeNonceStore.java b/example/src/main/java/eu/webeid/example/config/SessionBackedChallengeNonceStore.java
new file mode 100644
index 0000000..c9021ca
--- /dev/null
+++ b/example/src/main/java/eu/webeid/example/config/SessionBackedChallengeNonceStore.java
@@ -0,0 +1,37 @@
+package eu.webeid.example.config;
+
+import org.jetbrains.annotations.NotNull;
+import org.springframework.beans.factory.ObjectFactory;
+import eu.webeid.security.challenge.ChallengeNonce;
+import eu.webeid.security.challenge.ChallengeNonceStore;
+
+import javax.servlet.http.HttpSession;
+
+public class SessionBackedChallengeNonceStore implements ChallengeNonceStore {
+
+    private static final String CHALLENGE_NONCE_KEY = "challenge-nonce";
+
+    final ObjectFactory<HttpSession> httpSessionFactory;
+
+    public SessionBackedChallengeNonceStore(ObjectFactory<HttpSession> httpSessionFactory) {
+        this.httpSessionFactory = httpSessionFactory;
+    }
+
+    @Override
+    public void put(ChallengeNonce challengeNonce) {
+        currentSession().setAttribute(CHALLENGE_NONCE_KEY, challengeNonce);
+    }
+
+    @Override
+    public ChallengeNonce getAndRemoveImpl() {
+        final ChallengeNonce challengeNonce = (ChallengeNonce) currentSession().getAttribute(CHALLENGE_NONCE_KEY);
+        currentSession().removeAttribute(CHALLENGE_NONCE_KEY);
+        return challengeNonce;
+    }
+
+    @NotNull
+    private HttpSession currentSession() {
+        return httpSessionFactory.getObject();
+    }
+
+}
diff --git a/example/src/main/java/org/webeid/example/config/ValidationConfiguration.java b/example/src/main/java/eu/webeid/example/config/ValidationConfiguration.java
similarity index 71%
rename from example/src/main/java/org/webeid/example/config/ValidationConfiguration.java
rename to example/src/main/java/eu/webeid/example/config/ValidationConfiguration.java
index f91b953..f5419f2 100644
--- a/example/src/main/java/org/webeid/example/config/ValidationConfiguration.java
+++ b/example/src/main/java/eu/webeid/example/config/ValidationConfiguration.java
@@ -20,29 +20,24 @@
  * SOFTWARE.
  */
 
-package org.webeid.example.config;
+package eu.webeid.example.config;
 
-import com.github.benmanes.caffeine.jcache.spi.CaffeineCachingProvider;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.ObjectFactory;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.io.Resource;
 import org.springframework.core.io.support.PathMatchingResourcePatternResolver;
-import org.webeid.security.exceptions.JceException;
-import org.webeid.security.nonce.NonceGenerator;
-import org.webeid.security.nonce.NonceGeneratorBuilder;
-import org.webeid.security.validator.AuthTokenValidator;
-import org.webeid.security.validator.AuthTokenValidatorBuilder;
-
-import javax.cache.Cache;
-import javax.cache.CacheManager;
-import javax.cache.Caching;
-import javax.cache.configuration.CompleteConfiguration;
-import javax.cache.configuration.MutableConfiguration;
-import javax.cache.expiry.CreatedExpiryPolicy;
-import javax.cache.expiry.Duration;
+import eu.webeid.security.challenge.ChallengeNonceGenerator;
+import eu.webeid.security.challenge.ChallengeNonceGeneratorBuilder;
+import eu.webeid.security.challenge.ChallengeNonceStore;
+import eu.webeid.security.exceptions.JceException;
+import eu.webeid.security.validator.AuthTokenValidator;
+import eu.webeid.security.validator.AuthTokenValidatorBuilder;
+
+import javax.servlet.http.HttpSession;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.URI;
@@ -52,21 +47,17 @@
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
-import java.time.ZonedDateTime;
+import java.time.Duration;
 import java.util.ArrayList;
 import java.util.Enumeration;
 import java.util.List;
-import java.util.concurrent.TimeUnit;
-
-import static javax.cache.configuration.FactoryBuilder.factoryOf;
 
 @Configuration
 public class ValidationConfiguration {
 
     private static final Logger LOG = LoggerFactory.getLogger(ValidationConfiguration.class);
 
-    private static final String CACHE_NAME = "nonceCache";
-    private static final long NONCE_TTL_MINUTES = 5;
+    private static final long CHALLENGE_NONCE_TTL_MINUTES = 5;
     private static final String CERTS_RESOURCE_PATH = "/certs/";
     public static final String TRUSTED_CERTIFICATES_JKS = "trusted_certificates.jks";
 
@@ -74,26 +65,15 @@ public class ValidationConfiguration {
     private String activeProfile;
 
     @Bean
-    public CacheManager cacheManager() {
-        return Caching.getCachingProvider(CaffeineCachingProvider.class.getName()).getCacheManager();
-    }
-
-    @Bean
-    public Cache<String, ZonedDateTime> nonceCache() {
-        final CacheManager cacheManager = cacheManager();
-        Cache<String, ZonedDateTime> cache = cacheManager.getCache(CACHE_NAME);
-
-        if (cache == null) {
-            cache = createNonceCache(cacheManager);
-        }
-        return cache;
+    public ChallengeNonceStore sessionBasedChallengeNonceStore(ObjectFactory<HttpSession> httpSessionFactory) {
+        return new SessionBackedChallengeNonceStore(httpSessionFactory);
     }
 
     @Bean
-    public NonceGenerator generator() {
-        return new NonceGeneratorBuilder()
-                .withNonceTtl(java.time.Duration.ofMinutes(NONCE_TTL_MINUTES))
-                .withNonceCache(nonceCache())
+    public ChallengeNonceGenerator generator(ChallengeNonceStore challengeNonceStore) {
+        return new ChallengeNonceGeneratorBuilder()
+                .withNonceTtl(Duration.ofMinutes(CHALLENGE_NONCE_TTL_MINUTES))
+                .withChallengeNonceStore(challengeNonceStore)
                 .build();
     }
 
@@ -143,13 +123,11 @@ public X509Certificate[] loadTrustedCACertificatesFromTrustStore() {
         return caCertificates.toArray(new X509Certificate[0]);
     }
 
-
     @Bean
     public AuthTokenValidator validator() {
         try {
             return new AuthTokenValidatorBuilder()
                     .withSiteOrigin(URI.create(yamlConfig().getLocalOrigin()))
-                    .withNonceCache(nonceCache())
                     .withTrustedCertificateAuthorities(loadTrustedCACertificatesFromCerFiles())
                     .withTrustedCertificateAuthorities(loadTrustedCACertificatesFromTrustStore())
                     .build();
@@ -163,11 +141,4 @@ public YAMLConfig yamlConfig() {
         return new YAMLConfig();
     }
 
-    private Cache<String, ZonedDateTime> createNonceCache(CacheManager cacheManager) {
-        CompleteConfiguration<String, ZonedDateTime> cacheConfig = new MutableConfiguration<String, ZonedDateTime>()
-                .setTypes(String.class, ZonedDateTime.class)
-                .setExpiryPolicyFactory(factoryOf(new CreatedExpiryPolicy(
-                        new Duration(TimeUnit.MINUTES, NONCE_TTL_MINUTES + 1))));
-        return cacheManager.createCache(CACHE_NAME, cacheConfig);
-    }
 }
diff --git a/example/src/main/java/org/webeid/example/config/YAMLConfig.java b/example/src/main/java/eu/webeid/example/config/YAMLConfig.java
similarity index 84%
rename from example/src/main/java/org/webeid/example/config/YAMLConfig.java
rename to example/src/main/java/eu/webeid/example/config/YAMLConfig.java
index 3400a61..5c874ef 100644
--- a/example/src/main/java/org/webeid/example/config/YAMLConfig.java
+++ b/example/src/main/java/eu/webeid/example/config/YAMLConfig.java
@@ -20,7 +20,7 @@
  * SOFTWARE.
  */
 
-package org.webeid.example.config;
+package eu.webeid.example.config;
 
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.context.properties.ConfigurationProperties;
@@ -32,11 +32,11 @@
 @ConfigurationProperties(prefix = "web-eid-auth-token.validation")
 public class YAMLConfig {
 
-    private final String FINGERPRINT_PREFIX = "urn:cert:sha-256:";
-
     @Value("local-origin")
     private String localOrigin;
-    private String fingerprint;
+
+    @Value("site-cert-hash")
+    private String siteCertHash;
 
     @Value("truststore-password")
     private String trustStorePassword;
@@ -52,15 +52,12 @@ public void setLocalOrigin(String localOrigin) {
         this.localOrigin = localOrigin;
     }
 
-    public String getFingerprint() {
-        if (fingerprint != null && !fingerprint.startsWith(FINGERPRINT_PREFIX)) {
-            fingerprint = FINGERPRINT_PREFIX + fingerprint.replace(":", "").toLowerCase();
-        }
-        return fingerprint;
+    public String getSiteCertHash() {
+        return siteCertHash;
     }
 
-    public void setFingerprint(String fingerprint) {
-        this.fingerprint = fingerprint;
+    public void setSiteCertHash(String siteCertHash) {
+        this.siteCertHash = siteCertHash;
     }
 
     public String getTrustStorePassword() {
diff --git a/example/src/main/java/org/webeid/example/security/AuthTokenDTOAuthenticationProvider.java b/example/src/main/java/eu/webeid/example/security/AuthTokenDTOAuthenticationProvider.java
similarity index 76%
rename from example/src/main/java/org/webeid/example/security/AuthTokenDTOAuthenticationProvider.java
rename to example/src/main/java/eu/webeid/example/security/AuthTokenDTOAuthenticationProvider.java
index db63854..8cc05ac 100644
--- a/example/src/main/java/org/webeid/example/security/AuthTokenDTOAuthenticationProvider.java
+++ b/example/src/main/java/eu/webeid/example/security/AuthTokenDTOAuthenticationProvider.java
@@ -20,8 +20,9 @@
  * SOFTWARE.
  */
 
-package org.webeid.example.security;
+package eu.webeid.example.security;
 
+import eu.webeid.example.security.dto.AuthTokenDTO;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -33,13 +34,16 @@
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
 import org.springframework.stereotype.Component;
-import org.webeid.example.security.dto.AuthTokenDTO;
-import org.webeid.security.exceptions.TokenValidationException;
-import org.webeid.security.validator.AuthTokenValidator;
+import eu.webeid.security.authtoken.WebEidAuthToken;
+import eu.webeid.security.challenge.ChallengeNonceStore;
+import eu.webeid.security.exceptions.AuthTokenException;
+import eu.webeid.security.validator.AuthTokenValidator;
 
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
 import java.util.List;
 
 /**
@@ -54,27 +58,26 @@ public class AuthTokenDTOAuthenticationProvider implements AuthenticationProvide
 
     @Autowired
     private AuthTokenValidator tokenValidator;
+    @Autowired
+    private ChallengeNonceStore challengeNonceStore;
 
     @Override
     public Authentication authenticate(Authentication auth) throws AuthenticationException {
         LOG.info("authenticate(): {}", auth);
 
         final PreAuthenticatedAuthenticationToken authentication = (PreAuthenticatedAuthenticationToken) auth;
+        final WebEidAuthToken authToken = ((AuthTokenDTO) authentication.getCredentials()).getToken();
 
-        final String token = ((AuthTokenDTO) authentication.getCredentials()).getToken();
-
-        final List<GrantedAuthority> authorities = new ArrayList<>(2);
-        authorities.add(USER_ROLE);
+        final List<GrantedAuthority> authorities = Collections.singletonList(USER_ROLE);
 
         try {
-            final X509Certificate userCertificate = tokenValidator.validate(token);
+            final String nonce = challengeNonceStore.getAndRemove().getBase64EncodedNonce();
+            final X509Certificate userCertificate = tokenValidator.validate(authToken, nonce);
             return WebEidAuthentication.fromCertificate(userCertificate, authorities);
-        } catch (TokenValidationException e) {
-            LOG.warn("Token validation has failed", e);
-            throw new AuthenticationServiceException("Token validation failed: " + e.getMessage());
+        } catch (AuthTokenException e) {
+            throw new AuthenticationServiceException("Web eID token validation failed", e);
         } catch (CertificateEncodingException e) {
-            LOG.warn("Failed to extract subject fields from certificate", e);
-            throw new AuthenticationServiceException("Incorrect certificate subject fields: " + e.getMessage());
+            throw new AuthenticationServiceException("Web eID token has incorrect certificate subject fields", e);
         }
     }
 
diff --git a/example/src/main/java/org/webeid/example/security/WebEidAjaxLoginProcessingFilter.java b/example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java
similarity index 94%
rename from example/src/main/java/org/webeid/example/security/WebEidAjaxLoginProcessingFilter.java
rename to example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java
index b78b54f..0d8ed01 100644
--- a/example/src/main/java/org/webeid/example/security/WebEidAjaxLoginProcessingFilter.java
+++ b/example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java
@@ -20,12 +20,16 @@
  * SOFTWARE.
  */
 
-package org.webeid.example.security;
+package eu.webeid.example.security;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import java.io.IOException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+
+import eu.webeid.example.security.ajax.AjaxAuthenticationFailureHandler;
+import eu.webeid.example.security.ajax.AjaxAuthenticationSuccessHandler;
+import eu.webeid.example.security.dto.AuthTokenDTO;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.http.HttpMethod;
@@ -35,9 +39,6 @@
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
-import org.webeid.example.security.ajax.AjaxAuthenticationFailureHandler;
-import org.webeid.example.security.ajax.AjaxAuthenticationSuccessHandler;
-import org.webeid.example.security.dto.AuthTokenDTO;
 
 public class WebEidAjaxLoginProcessingFilter extends AbstractAuthenticationProcessingFilter {
     private static final Logger LOG = LoggerFactory.getLogger(WebEidAjaxLoginProcessingFilter.class);
diff --git a/example/src/main/java/org/webeid/example/security/WebEidAuthentication.java b/example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java
similarity index 96%
rename from example/src/main/java/org/webeid/example/security/WebEidAuthentication.java
rename to example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java
index 831bb85..16a4306 100644
--- a/example/src/main/java/org/webeid/example/security/WebEidAuthentication.java
+++ b/example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java
@@ -20,12 +20,12 @@
  * SOFTWARE.
  */
 
-package org.webeid.example.security;
+package eu.webeid.example.security;
 
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
-import org.webeid.security.certificate.CertificateData;
+import eu.webeid.security.certificate.CertificateData;
 
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
diff --git a/example/src/main/java/org/webeid/example/security/ajax/AjaxAuthenticationFailureHandler.java b/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationFailureHandler.java
similarity index 98%
rename from example/src/main/java/org/webeid/example/security/ajax/AjaxAuthenticationFailureHandler.java
rename to example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationFailureHandler.java
index d173206..a21e7e9 100644
--- a/example/src/main/java/org/webeid/example/security/ajax/AjaxAuthenticationFailureHandler.java
+++ b/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationFailureHandler.java
@@ -20,7 +20,7 @@
  * SOFTWARE.
  */
 
-package org.webeid.example.security.ajax;
+package eu.webeid.example.security.ajax;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
diff --git a/example/src/main/java/org/webeid/example/security/ajax/AjaxAuthenticationSuccessHandler.java b/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationSuccessHandler.java
similarity index 98%
rename from example/src/main/java/org/webeid/example/security/ajax/AjaxAuthenticationSuccessHandler.java
rename to example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationSuccessHandler.java
index 2d2ccc7..4567db7 100644
--- a/example/src/main/java/org/webeid/example/security/ajax/AjaxAuthenticationSuccessHandler.java
+++ b/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationSuccessHandler.java
@@ -20,7 +20,7 @@
  * SOFTWARE.
  */
 
-package org.webeid.example.security.ajax;
+package eu.webeid.example.security.ajax;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.core.JsonProcessingException;
diff --git a/example/src/main/java/org/webeid/example/security/dto/AuthTokenDTO.java b/example/src/main/java/eu/webeid/example/security/dto/AuthTokenDTO.java
similarity index 85%
rename from example/src/main/java/org/webeid/example/security/dto/AuthTokenDTO.java
rename to example/src/main/java/eu/webeid/example/security/dto/AuthTokenDTO.java
index 7235404..a2f4b01 100644
--- a/example/src/main/java/org/webeid/example/security/dto/AuthTokenDTO.java
+++ b/example/src/main/java/eu/webeid/example/security/dto/AuthTokenDTO.java
@@ -20,19 +20,20 @@
  * SOFTWARE.
  */
 
-package org.webeid.example.security.dto;
+package eu.webeid.example.security.dto;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
+import eu.webeid.security.authtoken.WebEidAuthToken;
 
 public class AuthTokenDTO {
     @JsonProperty("auth-token")
-    private String token;
+    private WebEidAuthToken token;
 
-    public String getToken() {
+    public WebEidAuthToken getToken() {
         return token;
     }
 
-    public void setToken(String token) {
+    public void setToken(WebEidAuthToken token) {
         this.token = token;
     }
 }
diff --git a/example/src/main/java/org/webeid/example/service/SigningService.java b/example/src/main/java/eu/webeid/example/service/SigningService.java
similarity index 94%
rename from example/src/main/java/org/webeid/example/service/SigningService.java
rename to example/src/main/java/eu/webeid/example/service/SigningService.java
index e971e1d..80e7fc6 100644
--- a/example/src/main/java/org/webeid/example/service/SigningService.java
+++ b/example/src/main/java/eu/webeid/example/service/SigningService.java
@@ -20,9 +20,15 @@
  * SOFTWARE.
  */
 
-package org.webeid.example.service;
+package eu.webeid.example.service;
 
 import com.google.common.io.ByteStreams;
+import eu.webeid.example.config.YAMLConfig;
+import eu.webeid.example.security.WebEidAuthentication;
+import eu.webeid.example.service.dto.CertificateDTO;
+import eu.webeid.example.service.dto.DigestDTO;
+import eu.webeid.example.service.dto.FileDTO;
+import eu.webeid.example.service.dto.SignatureDTO;
 import org.apache.commons.io.FilenameUtils;
 import org.digidoc4j.*;
 import org.digidoc4j.utils.TokenAlgorithmSupport;
@@ -31,14 +37,8 @@
 import org.springframework.beans.factory.ObjectFactory;
 import org.springframework.core.io.ByteArrayResource;
 import org.springframework.stereotype.Service;
-import org.webeid.example.config.YAMLConfig;
-import org.webeid.example.security.WebEidAuthentication;
-import org.webeid.example.service.dto.CertificateDTO;
-import org.webeid.example.service.dto.DigestDTO;
-import org.webeid.example.service.dto.FileDTO;
-import org.webeid.example.service.dto.SignatureDTO;
-import org.webeid.example.web.rest.SigningController;
-import org.webeid.security.certificate.CertificateData;
+import eu.webeid.example.web.rest.SigningController;
+import eu.webeid.security.certificate.CertificateData;
 
 import javax.servlet.http.HttpSession;
 import javax.xml.bind.DatatypeConverter;
@@ -113,7 +113,7 @@ public DigestDTO prepareContainer(CertificateDTO certificateDTO, WebEidAuthentic
 
         DigestDTO digestDTO = new DigestDTO();
         digestDTO.setHash(DatatypeConverter.printBase64Binary(digest));
-        digestDTO.setAlgorithm(digestAlgorithm);
+        digestDTO.setHashFunction(digestAlgorithm);
 
         return digestDTO;
     }
diff --git a/example/src/main/java/org/webeid/example/service/dto/CertificateDTO.java b/example/src/main/java/eu/webeid/example/service/dto/CertificateDTO.java
similarity index 86%
rename from example/src/main/java/org/webeid/example/service/dto/CertificateDTO.java
rename to example/src/main/java/eu/webeid/example/service/dto/CertificateDTO.java
index 0f81e39..4d80dde 100644
--- a/example/src/main/java/org/webeid/example/service/dto/CertificateDTO.java
+++ b/example/src/main/java/eu/webeid/example/service/dto/CertificateDTO.java
@@ -20,7 +20,7 @@
  * SOFTWARE.
  */
 
-package org.webeid.example.service.dto;
+package eu.webeid.example.service.dto;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
 
@@ -36,18 +36,15 @@
 
 public class CertificateDTO {
 
-    @JsonProperty("certificate")
-    private String base64String;
-
-    @JsonProperty("supported-signature-algos")
+    private String certificate;
     private List<SignatureAlgorithmDTO> supportedSignatureAlgorithms;
 
-    public String getBase64String() {
-        return base64String;
+    public String getCertificate() {
+        return certificate;
     }
 
-    public void setBase64String(String base64String) {
-        this.base64String = base64String;
+    public void setCertificate(String certificate) {
+        this.certificate = certificate;
     }
 
     public List<SignatureAlgorithmDTO> getSupportedSignatureAlgorithms() {
@@ -59,7 +56,7 @@ public void setSupportedSignatureAlgorithms(List<SignatureAlgorithmDTO> supporte
     }
 
     public X509Certificate toX509Certificate() throws CertificateException {
-        byte[] certificateBytes = Base64.getDecoder().decode(base64String);
+        byte[] certificateBytes = Base64.getDecoder().decode(certificate);
         InputStream inStream = new ByteArrayInputStream(certificateBytes);
         CertificateFactory cf = CertificateFactory.getInstance("X.509");
         return (X509Certificate) cf.generateCertificate(inStream);
diff --git a/example/src/main/java/org/webeid/example/service/dto/ChallengeDTO.java b/example/src/main/java/eu/webeid/example/service/dto/ChallengeDTO.java
similarity index 97%
rename from example/src/main/java/org/webeid/example/service/dto/ChallengeDTO.java
rename to example/src/main/java/eu/webeid/example/service/dto/ChallengeDTO.java
index e0fd24b..872a260 100644
--- a/example/src/main/java/org/webeid/example/service/dto/ChallengeDTO.java
+++ b/example/src/main/java/eu/webeid/example/service/dto/ChallengeDTO.java
@@ -20,7 +20,7 @@
  * SOFTWARE.
  */
 
-package org.webeid.example.service.dto;
+package eu.webeid.example.service.dto;
 
 public class ChallengeDTO {
     private String nonce;
diff --git a/example/src/main/java/org/webeid/example/service/dto/DigestDTO.java b/example/src/main/java/eu/webeid/example/service/dto/DigestDTO.java
similarity index 84%
rename from example/src/main/java/org/webeid/example/service/dto/DigestDTO.java
rename to example/src/main/java/eu/webeid/example/service/dto/DigestDTO.java
index dbb3e6f..1b05dba 100644
--- a/example/src/main/java/org/webeid/example/service/dto/DigestDTO.java
+++ b/example/src/main/java/eu/webeid/example/service/dto/DigestDTO.java
@@ -20,11 +20,11 @@
  * SOFTWARE.
  */
 
-package org.webeid.example.service.dto;
+package eu.webeid.example.service.dto;
 
 public class DigestDTO {
     private String hash;
-    private String algorithm;
+    private String hashFunction;
 
     public String getHash() {
         return hash;
@@ -34,11 +34,11 @@ public void setHash(String hash) {
         this.hash = hash;
     }
 
-    public String getAlgorithm() {
-        return algorithm;
+    public String getHashFunction() {
+        return hashFunction;
     }
 
-    public void setAlgorithm(String algorithm) {
-        this.algorithm = algorithm;
+    public void setHashFunction(String hashFunction) {
+        this.hashFunction = hashFunction;
     }
 }
diff --git a/example/src/main/java/org/webeid/example/service/dto/FileDTO.java b/example/src/main/java/eu/webeid/example/service/dto/FileDTO.java
similarity index 98%
rename from example/src/main/java/org/webeid/example/service/dto/FileDTO.java
rename to example/src/main/java/eu/webeid/example/service/dto/FileDTO.java
index bea02af..47a2bcf 100644
--- a/example/src/main/java/org/webeid/example/service/dto/FileDTO.java
+++ b/example/src/main/java/eu/webeid/example/service/dto/FileDTO.java
@@ -20,7 +20,7 @@
  * SOFTWARE.
  */
 
-package org.webeid.example.service.dto;
+package eu.webeid.example.service.dto;
 
 import org.springframework.core.io.ClassPathResource;
 import org.springframework.util.MimeTypeUtils;
diff --git a/example/src/main/java/org/webeid/example/service/dto/SignatureAlgorithmDTO.java b/example/src/main/java/eu/webeid/example/service/dto/SignatureAlgorithmDTO.java
similarity index 98%
rename from example/src/main/java/org/webeid/example/service/dto/SignatureAlgorithmDTO.java
rename to example/src/main/java/eu/webeid/example/service/dto/SignatureAlgorithmDTO.java
index 31373de..142e393 100644
--- a/example/src/main/java/org/webeid/example/service/dto/SignatureAlgorithmDTO.java
+++ b/example/src/main/java/eu/webeid/example/service/dto/SignatureAlgorithmDTO.java
@@ -20,7 +20,7 @@
  * SOFTWARE.
  */
 
-package org.webeid.example.service.dto;
+package eu.webeid.example.service.dto;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
 
diff --git a/example/src/main/java/org/webeid/example/service/dto/SignatureDTO.java b/example/src/main/java/eu/webeid/example/service/dto/SignatureDTO.java
similarity index 79%
rename from example/src/main/java/org/webeid/example/service/dto/SignatureDTO.java
rename to example/src/main/java/eu/webeid/example/service/dto/SignatureDTO.java
index 5253a48..c3df702 100644
--- a/example/src/main/java/org/webeid/example/service/dto/SignatureDTO.java
+++ b/example/src/main/java/eu/webeid/example/service/dto/SignatureDTO.java
@@ -20,33 +20,17 @@
  * SOFTWARE.
  */
 
-package org.webeid.example.service.dto;
+package eu.webeid.example.service.dto;
 
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 
+@JsonIgnoreProperties(ignoreUnknown = true)
 public class SignatureDTO {
-    private String hash;
-    private String algorithm;
 
     @JsonProperty("signature")
     private String base64Signature;
 
-    public String getHash() {
-        return hash;
-    }
-
-    public void setHash(String hash) {
-        this.hash = hash;
-    }
-
-    public String getAlgorithm() {
-        return algorithm;
-    }
-
-    public void setAlgorithm(String algorithm) {
-        this.algorithm = algorithm;
-    }
-
     public String getBase64Signature() {
         return base64Signature;
     }
diff --git a/example/src/main/java/org/webeid/example/web/WelcomeController.java b/example/src/main/java/eu/webeid/example/web/WelcomeController.java
similarity index 94%
rename from example/src/main/java/org/webeid/example/web/WelcomeController.java
rename to example/src/main/java/eu/webeid/example/web/WelcomeController.java
index 66d34d3..22befa9 100644
--- a/example/src/main/java/org/webeid/example/web/WelcomeController.java
+++ b/example/src/main/java/eu/webeid/example/web/WelcomeController.java
@@ -20,12 +20,8 @@
  * SOFTWARE.
  */
 
-package org.webeid.example.web;
+package eu.webeid.example.web;
 
-import static org.webeid.example.security.AuthTokenDTOAuthenticationProvider.ROLE_USER;
-
-import java.security.Principal;
-import javax.validation.constraints.NotNull;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.security.access.prepost.PreAuthorize;
@@ -33,6 +29,11 @@
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.GetMapping;
 
+import javax.validation.constraints.NotNull;
+import java.security.Principal;
+
+import static eu.webeid.example.security.AuthTokenDTOAuthenticationProvider.ROLE_USER;
+
 @Controller
 public class WelcomeController {
     private static final Logger LOG = LoggerFactory.getLogger(WelcomeController.class);
diff --git a/example/src/main/java/org/webeid/example/web/rest/ChallengeController.java b/example/src/main/java/eu/webeid/example/web/rest/ChallengeController.java
similarity index 77%
rename from example/src/main/java/org/webeid/example/web/rest/ChallengeController.java
rename to example/src/main/java/eu/webeid/example/web/rest/ChallengeController.java
index 677539b..01eec9d 100644
--- a/example/src/main/java/org/webeid/example/web/rest/ChallengeController.java
+++ b/example/src/main/java/eu/webeid/example/web/rest/ChallengeController.java
@@ -20,28 +20,28 @@
  * SOFTWARE.
  */
 
-package org.webeid.example.web.rest;
+package eu.webeid.example.web.rest;
 
+import eu.webeid.example.service.dto.ChallengeDTO;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
-import org.webeid.example.service.dto.ChallengeDTO;
-import org.webeid.security.nonce.NonceGenerator;
+import eu.webeid.security.challenge.ChallengeNonceGenerator;
 
 @RestController
 @RequestMapping("auth")
 public class ChallengeController {
 
-    private final NonceGenerator nonceGenerator;
+    private final ChallengeNonceGenerator challengeNonceGenerator;
 
-    public ChallengeController(NonceGenerator nonceGenerator) {
-        this.nonceGenerator = nonceGenerator;
+    public ChallengeController(ChallengeNonceGenerator challengeNonceGenerator) {
+        this.challengeNonceGenerator = challengeNonceGenerator;
     }
 
     @GetMapping("challenge")
     public ChallengeDTO challenge() {
         final ChallengeDTO challenge = new ChallengeDTO();
-        challenge.setNonce(nonceGenerator.generateAndStoreNonce());
+        challenge.setNonce(challengeNonceGenerator.generateAndStoreNonce().getBase64EncodedNonce());
         return challenge;
     }
 }
diff --git a/example/src/main/java/org/webeid/example/web/rest/SigningController.java b/example/src/main/java/eu/webeid/example/web/rest/SigningController.java
similarity index 89%
rename from example/src/main/java/org/webeid/example/web/rest/SigningController.java
rename to example/src/main/java/eu/webeid/example/web/rest/SigningController.java
index 65030b7..840cde8 100644
--- a/example/src/main/java/org/webeid/example/web/rest/SigningController.java
+++ b/example/src/main/java/eu/webeid/example/web/rest/SigningController.java
@@ -20,19 +20,19 @@
  * SOFTWARE.
  */
 
-package org.webeid.example.web.rest;
+package eu.webeid.example.web.rest;
 
+import eu.webeid.example.security.WebEidAuthentication;
+import eu.webeid.example.service.SigningService;
+import eu.webeid.example.service.dto.CertificateDTO;
+import eu.webeid.example.service.dto.DigestDTO;
+import eu.webeid.example.service.dto.FileDTO;
+import eu.webeid.example.service.dto.SignatureDTO;
 import org.springframework.core.io.ByteArrayResource;
 import org.springframework.core.io.Resource;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.*;
-import org.webeid.example.security.WebEidAuthentication;
-import org.webeid.example.service.SigningService;
-import org.webeid.example.service.dto.CertificateDTO;
-import org.webeid.example.service.dto.DigestDTO;
-import org.webeid.example.service.dto.FileDTO;
-import org.webeid.example.service.dto.SignatureDTO;
 
 import java.io.IOException;
 import java.security.NoSuchAlgorithmException;
diff --git a/example/src/main/resources/static/js/error-message.js b/example/src/main/resources/static/js/errors.js
similarity index 83%
rename from example/src/main/resources/static/js/error-message.js
rename to example/src/main/resources/static/js/errors.js
index 840b942..7bc8c92 100644
--- a/example/src/main/resources/static/js/error-message.js
+++ b/example/src/main/resources/static/js/errors.js
@@ -43,3 +43,17 @@ export function showErrorMessage(error) {
     alertUi.alertDetails.innerText = details;
     alertUi.alert.style.display = "block";
 }
+
+export async function checkHttpError(response) {
+    if (!response.ok) {
+        let body;
+        try {
+            body = await response.text();
+        } catch (error) {
+            body = "<<unable to retrieve response body>>";
+        }
+        const error = new Error("Server error: " + body);
+        error.code = response.status;
+        throw error;
+    }
+}
\ No newline at end of file
diff --git a/example/src/main/resources/static/js/web-eid-1.0.1.js b/example/src/main/resources/static/js/web-eid-1.0.1.js
deleted file mode 100644
index 6244468..0000000
--- a/example/src/main/resources/static/js/web-eid-1.0.1.js
+++ /dev/null
@@ -1,1135 +0,0 @@
-/*
- * Copyright (c) Estonian Information System Authority
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-var config = Object.freeze({
-    VERSION: "1.0.1",
-    EXTENSION_HANDSHAKE_TIMEOUT: 1000,
-    NATIVE_APP_HANDSHAKE_TIMEOUT: 5 * 1000,
-    DEFAULT_USER_INTERACTION_TIMEOUT: 2 * 60 * 1000,
-    DEFAULT_SERVER_REQUEST_TIMEOUT: 20 * 1000,
-});
-
-/*
- * Copyright (c) Estonian Information System Authority
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-var ErrorCode;
-(function (ErrorCode) {
-    // Timeout errors
-    ErrorCode["ERR_WEBEID_ACTION_TIMEOUT"] = "ERR_WEBEID_ACTION_TIMEOUT";
-    ErrorCode["ERR_WEBEID_USER_TIMEOUT"] = "ERR_WEBEID_USER_TIMEOUT";
-    ErrorCode["ERR_WEBEID_SERVER_TIMEOUT"] = "ERR_WEBEID_SERVER_TIMEOUT";
-    // Health errors
-    ErrorCode["ERR_WEBEID_VERSION_MISMATCH"] = "ERR_WEBEID_VERSION_MISMATCH";
-    ErrorCode["ERR_WEBEID_VERSION_INVALID"] = "ERR_WEBEID_VERSION_INVALID";
-    ErrorCode["ERR_WEBEID_EXTENSION_UNAVAILABLE"] = "ERR_WEBEID_EXTENSION_UNAVAILABLE";
-    ErrorCode["ERR_WEBEID_NATIVE_UNAVAILABLE"] = "ERR_WEBEID_NATIVE_UNAVAILABLE";
-    ErrorCode["ERR_WEBEID_UNKNOWN_ERROR"] = "ERR_WEBEID_UNKNOWN_ERROR";
-    // Security errors
-    ErrorCode["ERR_WEBEID_CONTEXT_INSECURE"] = "ERR_WEBEID_CONTEXT_INSECURE";
-    ErrorCode["ERR_WEBEID_PROTOCOL_INSECURE"] = "ERR_WEBEID_PROTOCOL_INSECURE";
-    ErrorCode["ERR_WEBEID_TLS_CONNECTION_BROKEN"] = "ERR_WEBEID_TLS_CONNECTION_BROKEN";
-    ErrorCode["ERR_WEBEID_TLS_CONNECTION_INSECURE"] = "ERR_WEBEID_TLS_CONNECTION_INSECURE";
-    ErrorCode["ERR_WEBEID_TLS_CONNECTION_WEAK"] = "ERR_WEBEID_TLS_CONNECTION_WEAK";
-    ErrorCode["ERR_WEBEID_CERTIFICATE_CHANGED"] = "ERR_WEBEID_CERTIFICATE_CHANGED";
-    ErrorCode["ERR_WEBEID_ORIGIN_MISMATCH"] = "ERR_WEBEID_ORIGIN_MISMATCH";
-    // Third party errors
-    ErrorCode["ERR_WEBEID_SERVER_REJECTED"] = "ERR_WEBEID_SERVER_REJECTED";
-    ErrorCode["ERR_WEBEID_USER_CANCELLED"] = "ERR_WEBEID_USER_CANCELLED";
-    ErrorCode["ERR_WEBEID_NATIVE_INVALID_ARGUMENT"] = "ERR_WEBEID_NATIVE_INVALID_ARGUMENT";
-    ErrorCode["ERR_WEBEID_NATIVE_FATAL"] = "ERR_WEBEID_NATIVE_FATAL";
-    // Developer mistakes
-    ErrorCode["ERR_WEBEID_ACTION_PENDING"] = "ERR_WEBEID_ACTION_PENDING";
-    ErrorCode["ERR_WEBEID_MISSING_PARAMETER"] = "ERR_WEBEID_MISSING_PARAMETER";
-})(ErrorCode || (ErrorCode = {}));
-var ErrorCode$1 = ErrorCode;
-
-/*
- * Copyright (c) Estonian Information System Authority
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-var Action;
-(function (Action) {
-    Action["STATUS"] = "web-eid:status";
-    Action["STATUS_ACK"] = "web-eid:status-ack";
-    Action["STATUS_SUCCESS"] = "web-eid:status-success";
-    Action["STATUS_FAILURE"] = "web-eid:status-failure";
-    Action["AUTHENTICATE"] = "web-eid:authenticate";
-    Action["AUTHENTICATE_ACK"] = "web-eid:authenticate-ack";
-    Action["AUTHENTICATE_SUCCESS"] = "web-eid:authenticate-success";
-    Action["AUTHENTICATE_FAILURE"] = "web-eid:authenticate-failure";
-    Action["SIGN"] = "web-eid:sign";
-    Action["SIGN_ACK"] = "web-eid:sign-ack";
-    Action["SIGN_SUCCESS"] = "web-eid:sign-success";
-    Action["SIGN_FAILURE"] = "web-eid:sign-failure";
-})(Action || (Action = {}));
-var Action$1 = Action;
-
-/*
- * Copyright (c) Estonian Information System Authority
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-class CertificateChangedError extends Error {
-    constructor(message = "server certificate changed between requests") {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_CERTIFICATE_CHANGED;
-    }
-}
-
-/*
- * Copyright (c) Estonian Information System Authority
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-class OriginMismatchError extends Error {
-    constructor(message = "URLs for a single operation require the same origin") {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_ORIGIN_MISMATCH;
-    }
-}
-
-/*
- * Copyright (c) Estonian Information System Authority
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-const SECURE_CONTEXTS_INFO_URL = "https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts";
-class ContextInsecureError extends Error {
-    constructor(message = "Secure context required, see " + SECURE_CONTEXTS_INFO_URL) {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_CONTEXT_INSECURE;
-    }
-}
-
-/*
- * Copyright (c) Estonian Information System Authority
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-class ExtensionUnavailableError extends Error {
-    constructor(message = "Web-eID extension is not available") {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_EXTENSION_UNAVAILABLE;
-    }
-}
-
-/*
- * Copyright (c) Estonian Information System Authority
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-class ActionPendingError extends Error {
-    constructor(message = "same action for Web-eID browser extension is already pending") {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_ACTION_PENDING;
-    }
-}
-
-/*
- * Copyright (c) Estonian Information System Authority
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-class NativeInvalidArgumentError extends Error {
-    constructor(message = "native application received an invalid argument") {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_NATIVE_INVALID_ARGUMENT;
-    }
-}
-
-/*
- * Copyright (c) Estonian Information System Authority
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-class NativeFatalError extends Error {
-    constructor(message = "native application terminated with a fatal error") {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_NATIVE_FATAL;
-    }
-}
-
-/*
- * Copyright (c) Estonian Information System Authority
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-class NativeUnavailableError extends Error {
-    constructor(message = "Web-eID native application is not available") {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_NATIVE_UNAVAILABLE;
-    }
-}
-
-/*
- * Copyright (c) Estonian Information System Authority
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-class ServerRejectedError extends Error {
-    constructor(message = "server rejected the request") {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_SERVER_REJECTED;
-    }
-}
-
-/*
- * Copyright (c) Estonian Information System Authority
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-class UserTimeoutError extends Error {
-    constructor(message = "user failed to respond in time") {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_USER_TIMEOUT;
-    }
-}
-
-/*
- * Copyright (c) Estonian Information System Authority
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-class UserCancelledError extends Error {
-    constructor(message = "request was cancelled by the user") {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_USER_CANCELLED;
-    }
-}
-
-/*
- * Copyright (c) Estonian Information System Authority
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-function tmpl(strings, requiresUpdate) {
-    return `Update required for Web-eID ${requiresUpdate}`;
-}
-class VersionMismatchError extends Error {
-    constructor(message, versions, requiresUpdate) {
-        if (!message) {
-            if (!requiresUpdate) {
-                message = "requiresUpdate not provided";
-            }
-            else if (requiresUpdate.extension && requiresUpdate.nativeApp) {
-                message = tmpl `${"extension and native app"}`;
-            }
-            else if (requiresUpdate.extension) {
-                message = tmpl `${"extension"}`;
-            }
-            else if (requiresUpdate.nativeApp) {
-                message = tmpl `${"native app"}`;
-            }
-        }
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_VERSION_MISMATCH;
-        this.requiresUpdate = requiresUpdate;
-        if (versions) {
-            const { library, extension, nativeApp } = versions;
-            Object.assign(this, { library, extension, nativeApp });
-        }
-    }
-}
-
-/*
- * Copyright (c) Estonian Information System Authority
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-class TlsConnectionBrokenError extends Error {
-    constructor(message = "TLS connection was broken") {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_TLS_CONNECTION_BROKEN;
-    }
-}
-
-/*
- * Copyright (c) Estonian Information System Authority
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-class TlsConnectionInsecureError extends Error {
-    constructor(message = "TLS connection was insecure") {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_TLS_CONNECTION_INSECURE;
-    }
-}
-
-/*
- * Copyright (c) Estonian Information System Authority
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-class TlsConnectionWeakError extends Error {
-    constructor(message = "TLS connection was weak") {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_TLS_CONNECTION_WEAK;
-    }
-}
-
-/*
- * Copyright (c) Estonian Information System Authority
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-class ProtocolInsecureError extends Error {
-    constructor(message = "HTTPS required") {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_PROTOCOL_INSECURE;
-    }
-}
-
-/*
- * Copyright (c) Estonian Information System Authority
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-class ActionTimeoutError extends Error {
-    constructor(message = "extension message timeout") {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_ACTION_TIMEOUT;
-    }
-}
-
-/*
- * Copyright (c) Estonian Information System Authority
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-class VersionInvalidError extends Error {
-    constructor(message = "invalid version string") {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_VERSION_INVALID;
-    }
-}
-
-/*
- * Copyright (c) Estonian Information System Authority
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-class ServerTimeoutError extends Error {
-    constructor(message = "server failed to respond in time") {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_SERVER_TIMEOUT;
-    }
-}
-
-/*
- * Copyright (c) Estonian Information System Authority
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-class UnknownError extends Error {
-    constructor(message = "an unknown error occurred") {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_UNKNOWN_ERROR;
-    }
-}
-
-/*
- * Copyright (c) Estonian Information System Authority
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-const errorCodeToErrorClass = {
-    [ErrorCode$1.ERR_WEBEID_ACTION_PENDING]: ActionPendingError,
-    [ErrorCode$1.ERR_WEBEID_ACTION_TIMEOUT]: ActionTimeoutError,
-    [ErrorCode$1.ERR_WEBEID_CERTIFICATE_CHANGED]: CertificateChangedError,
-    [ErrorCode$1.ERR_WEBEID_ORIGIN_MISMATCH]: OriginMismatchError,
-    [ErrorCode$1.ERR_WEBEID_CONTEXT_INSECURE]: ContextInsecureError,
-    [ErrorCode$1.ERR_WEBEID_EXTENSION_UNAVAILABLE]: ExtensionUnavailableError,
-    [ErrorCode$1.ERR_WEBEID_NATIVE_INVALID_ARGUMENT]: NativeInvalidArgumentError,
-    [ErrorCode$1.ERR_WEBEID_NATIVE_FATAL]: NativeFatalError,
-    [ErrorCode$1.ERR_WEBEID_NATIVE_UNAVAILABLE]: NativeUnavailableError,
-    [ErrorCode$1.ERR_WEBEID_PROTOCOL_INSECURE]: ProtocolInsecureError,
-    [ErrorCode$1.ERR_WEBEID_SERVER_REJECTED]: ServerRejectedError,
-    [ErrorCode$1.ERR_WEBEID_SERVER_TIMEOUT]: ServerTimeoutError,
-    [ErrorCode$1.ERR_WEBEID_TLS_CONNECTION_BROKEN]: TlsConnectionBrokenError,
-    [ErrorCode$1.ERR_WEBEID_TLS_CONNECTION_INSECURE]: TlsConnectionInsecureError,
-    [ErrorCode$1.ERR_WEBEID_TLS_CONNECTION_WEAK]: TlsConnectionWeakError,
-    [ErrorCode$1.ERR_WEBEID_USER_CANCELLED]: UserCancelledError,
-    [ErrorCode$1.ERR_WEBEID_USER_TIMEOUT]: UserTimeoutError,
-    [ErrorCode$1.ERR_WEBEID_VERSION_INVALID]: VersionInvalidError,
-    [ErrorCode$1.ERR_WEBEID_VERSION_MISMATCH]: VersionMismatchError,
-};
-function deserializeError(errorObject) {
-    let error;
-    if (typeof errorObject.code == "string" && errorObject.code in errorCodeToErrorClass) {
-        const CustomError = errorCodeToErrorClass[errorObject.code];
-        error = new CustomError();
-    }
-    else {
-        error = new UnknownError();
-    }
-    for (const [key, value] of Object.entries(errorObject)) {
-        error[key] = value;
-    }
-    return error;
-}
-
-/*
- * Copyright (c) Estonian Information System Authority
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-class WebExtensionService {
-    constructor() {
-        this.queue = [];
-        window.addEventListener("message", (event) => this.receive(event));
-    }
-    receive(event) {
-        var _a, _b, _c, _d, _e;
-        if (!/^web-eid:/.test((_a = event.data) === null || _a === void 0 ? void 0 : _a.action))
-            return;
-        const message = event.data;
-        const suffix = (_c = (_b = message.action) === null || _b === void 0 ? void 0 : _b.match(/success$|failure$|ack$/)) === null || _c === void 0 ? void 0 : _c[0];
-        const initialAction = this.getInitialAction(message.action);
-        const pending = this.getPendingMessage(initialAction);
-        if (suffix === "ack") {
-            console.log("ack message", message);
-            console.log("ack pending", pending === null || pending === void 0 ? void 0 : pending.message.action);
-            console.log("ack queue", JSON.stringify(this.queue));
-        }
-        if (pending) {
-            switch (suffix) {
-                case "ack": {
-                    clearTimeout(pending.ackTimer);
-                    break;
-                }
-                case "success": {
-                    (_d = pending.resolve) === null || _d === void 0 ? void 0 : _d.call(pending, message);
-                    this.removeFromQueue(initialAction);
-                    break;
-                }
-                case "failure": {
-                    (_e = pending.reject) === null || _e === void 0 ? void 0 : _e.call(pending, message.error ? deserializeError(message.error) : message);
-                    this.removeFromQueue(initialAction);
-                    break;
-                }
-            }
-        }
-    }
-    send(message, timeout) {
-        if (this.getPendingMessage(message.action)) {
-            return Promise.reject(new ActionPendingError());
-        }
-        else if (!window.isSecureContext) {
-            return Promise.reject(new ContextInsecureError());
-        }
-        else {
-            const pending = { message };
-            this.queue.push(pending);
-            pending.promise = new Promise((resolve, reject) => {
-                pending.resolve = resolve;
-                pending.reject = reject;
-            });
-            pending.ackTimer = setTimeout(() => this.onAckTimeout(pending), config.EXTENSION_HANDSHAKE_TIMEOUT);
-            pending.replyTimer = setTimeout(() => this.onReplyTimeout(pending), timeout);
-            window.postMessage(message, "*");
-            return pending.promise;
-        }
-    }
-    onReplyTimeout(pending) {
-        var _a;
-        console.log("onReplyTimeout", pending.message.action);
-        (_a = pending.reject) === null || _a === void 0 ? void 0 : _a.call(pending, new ActionTimeoutError());
-        this.removeFromQueue(pending.message.action);
-    }
-    onAckTimeout(pending) {
-        var _a;
-        console.log("onAckTimeout", pending.message.action);
-        (_a = pending.reject) === null || _a === void 0 ? void 0 : _a.call(pending, new ExtensionUnavailableError());
-        clearTimeout(pending.replyTimer);
-    }
-    getPendingMessage(action) {
-        return this.queue.find((pm) => {
-            return pm.message.action === action;
-        });
-    }
-    getInitialAction(action) {
-        return action.replace(/-success$|-failure$|-ack$/, "");
-    }
-    removeFromQueue(action) {
-        const pending = this.getPendingMessage(action);
-        clearTimeout(pending === null || pending === void 0 ? void 0 : pending.replyTimer);
-        this.queue = this.queue.filter((pending) => (pending.message.action !== action));
-    }
-}
-
-/*
- * Copyright (c) Estonian Information System Authority
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-const semverPattern = new RegExp("^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)" +
-    "(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$");
-var IdentifierDiff;
-(function (IdentifierDiff) {
-    IdentifierDiff[IdentifierDiff["NEWER"] = 1] = "NEWER";
-    IdentifierDiff[IdentifierDiff["SAME"] = 0] = "SAME";
-    IdentifierDiff[IdentifierDiff["OLDER"] = -1] = "OLDER";
-})(IdentifierDiff || (IdentifierDiff = {}));
-function parseSemver(string = "") {
-    const result = string.match(semverPattern);
-    const [, majorStr, minorStr, patchStr, rc, build] = result ? result : [];
-    const major = parseInt(majorStr, 10);
-    const minor = parseInt(minorStr, 10);
-    const patch = parseInt(patchStr, 10);
-    for (const indentifier of [major, minor, patch]) {
-        if (Number.isNaN(indentifier)) {
-            throw new VersionInvalidError(`Invalid SemVer string '${string}'`);
-        }
-    }
-    return { major, minor, patch, rc, build, string };
-}
-/**
- * Compares two Semver objects.
- *
- * @param {Semver} a First SemVer object
- * @param {Semver} b Second Semver object
- *
- * @returns {SemverDiff} Diff for major, minor and patch.
- */
-function compareSemver(a, b) {
-    return {
-        major: Math.sign(a.major - b.major),
-        minor: Math.sign(a.minor - b.minor),
-        patch: Math.sign(a.patch - b.patch),
-    };
-}
-
-/*
- * Copyright (c) Estonian Information System Authority
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-/**
- * Checks if update is required.
- *
- * @param version Object containing SemVer version strings for library, extension and native app.
- *
- * @returns Object which specifies if the extension or native app should be updated.
- */
-function checkCompatibility(version) {
-    const library = parseSemver(version.library);
-    const extension = parseSemver(version.extension);
-    const nativeApp = parseSemver(version.nativeApp);
-    const extensionDiff = compareSemver(extension, library);
-    const nativeAppDiff = compareSemver(nativeApp, library);
-    return {
-        extension: extensionDiff.major === IdentifierDiff.OLDER,
-        nativeApp: nativeAppDiff.major === IdentifierDiff.OLDER,
-    };
-}
-/**
- * Checks an object if 'library', 'extension' or 'nativeApp' properties are present.
- * Values are not checked for SemVer validity.
- *
- * @param object Object which will be checked for version properties.
- *
- * @returns Were any of the version properties found in the provided object.
- */
-function hasVersionProperties(object) {
-    if (typeof object === "object") {
-        for (const prop of ["library", "extension", "nativeApp"]) {
-            if (Object.hasOwnProperty.call(object, prop))
-                return true;
-        }
-    }
-    return false;
-}
-
-/*
- * Copyright (c) Estonian Information System Authority
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-class MissingParameterError extends Error {
-    constructor(message) {
-        super(message);
-        this.name = this.constructor.name;
-        this.code = ErrorCode$1.ERR_WEBEID_MISSING_PARAMETER;
-    }
-}
-
-/*
- * Copyright (c) Estonian Information System Authority
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-function defer() {
-    return new Promise((resolve) => setTimeout(resolve));
-}
-
-/*
- * Copyright (c) Estonian Information System Authority
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-const webExtensionService = new WebExtensionService();
-async function status() {
-    await defer(); // Give chrome a moment to load the extension content script
-    let statusResponse;
-    const library = config.VERSION;
-    const timeout = config.EXTENSION_HANDSHAKE_TIMEOUT + config.NATIVE_APP_HANDSHAKE_TIMEOUT;
-    const message = { action: Action$1.STATUS };
-    try {
-        statusResponse = await webExtensionService.send(message, timeout);
-    }
-    catch (error) {
-        error.library = library;
-        throw error;
-    }
-    const versions = { library, ...statusResponse };
-    const requiresUpdate = checkCompatibility(versions);
-    if (requiresUpdate.extension || requiresUpdate.nativeApp) {
-        throw new VersionMismatchError(undefined, versions, requiresUpdate);
-    }
-    return versions;
-}
-async function authenticate(options) {
-    await defer(); // Give chrome a moment to load the extension content script
-    if (typeof options != "object") {
-        throw new MissingParameterError("authenticate function requires an options object as parameter");
-    }
-    if (!options.getAuthChallengeUrl) {
-        throw new MissingParameterError("getAuthChallengeUrl missing from authenticate options");
-    }
-    if (!options.postAuthTokenUrl) {
-        throw new MissingParameterError("postAuthTokenUrl missing from authenticate options");
-    }
-    const timeout = (config.EXTENSION_HANDSHAKE_TIMEOUT +
-        config.NATIVE_APP_HANDSHAKE_TIMEOUT +
-        (options.serverRequestTimeout || config.DEFAULT_SERVER_REQUEST_TIMEOUT) * 2 +
-        (options.userInteractionTimeout || config.DEFAULT_USER_INTERACTION_TIMEOUT));
-    const message = { ...options, action: Action$1.AUTHENTICATE };
-    const result = await webExtensionService.send(message, timeout);
-    return result.response;
-}
-async function sign(options) {
-    await defer(); // Give chrome a moment to load the extension content script
-    if (typeof options != "object") {
-        throw new MissingParameterError("sign function requires an options object as parameter");
-    }
-    if (!options.postPrepareSigningUrl) {
-        throw new MissingParameterError("postPrepareSigningUrl missing from sign options");
-    }
-    if (!options.postFinalizeSigningUrl) {
-        throw new MissingParameterError("postFinalizeSigningUrl missing from sign options");
-    }
-    const timeout = (config.EXTENSION_HANDSHAKE_TIMEOUT +
-        config.NATIVE_APP_HANDSHAKE_TIMEOUT +
-        (options.serverRequestTimeout || config.DEFAULT_SERVER_REQUEST_TIMEOUT) * 2 +
-        (options.userInteractionTimeout || config.DEFAULT_USER_INTERACTION_TIMEOUT) * 2);
-    const message = { ...options, action: Action$1.SIGN };
-    const result = await webExtensionService.send(message, timeout);
-    return result.response;
-}
-
-export { Action$1 as Action, ErrorCode$1 as ErrorCode, authenticate, config, hasVersionProperties, sign, status };
diff --git a/example/src/main/resources/static/js/web-eid.js b/example/src/main/resources/static/js/web-eid.js
new file mode 100644
index 0000000..803c911
--- /dev/null
+++ b/example/src/main/resources/static/js/web-eid.js
@@ -0,0 +1,431 @@
+/**
+ * MIT License
+ *
+ * Copyright (c) 2020-2021 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+var Action;
+(function (Action) {
+    Action["WARNING"] = "web-eid:warning";
+    Action["STATUS"] = "web-eid:status";
+    Action["STATUS_ACK"] = "web-eid:status-ack";
+    Action["STATUS_SUCCESS"] = "web-eid:status-success";
+    Action["STATUS_FAILURE"] = "web-eid:status-failure";
+    Action["AUTHENTICATE"] = "web-eid:authenticate";
+    Action["AUTHENTICATE_ACK"] = "web-eid:authenticate-ack";
+    Action["AUTHENTICATE_SUCCESS"] = "web-eid:authenticate-success";
+    Action["AUTHENTICATE_FAILURE"] = "web-eid:authenticate-failure";
+    Action["GET_SIGNING_CERTIFICATE"] = "web-eid:get-signing-certificate";
+    Action["GET_SIGNING_CERTIFICATE_ACK"] = "web-eid:get-signing-certificate-ack";
+    Action["GET_SIGNING_CERTIFICATE_SUCCESS"] = "web-eid:get-signing-certificate-success";
+    Action["GET_SIGNING_CERTIFICATE_FAILURE"] = "web-eid:get-signing-certificate-failure";
+    Action["SIGN"] = "web-eid:sign";
+    Action["SIGN_ACK"] = "web-eid:sign-ack";
+    Action["SIGN_SUCCESS"] = "web-eid:sign-success";
+    Action["SIGN_FAILURE"] = "web-eid:sign-failure";
+})(Action || (Action = {}));
+var Action$1 = Action;
+
+var ErrorCode;
+(function (ErrorCode) {
+    ErrorCode["ERR_WEBEID_ACTION_TIMEOUT"] = "ERR_WEBEID_ACTION_TIMEOUT";
+    ErrorCode["ERR_WEBEID_USER_TIMEOUT"] = "ERR_WEBEID_USER_TIMEOUT";
+    ErrorCode["ERR_WEBEID_SERVER_TIMEOUT"] = "ERR_WEBEID_SERVER_TIMEOUT";
+    ErrorCode["ERR_WEBEID_VERSION_MISMATCH"] = "ERR_WEBEID_VERSION_MISMATCH";
+    ErrorCode["ERR_WEBEID_VERSION_INVALID"] = "ERR_WEBEID_VERSION_INVALID";
+    ErrorCode["ERR_WEBEID_EXTENSION_UNAVAILABLE"] = "ERR_WEBEID_EXTENSION_UNAVAILABLE";
+    ErrorCode["ERR_WEBEID_NATIVE_UNAVAILABLE"] = "ERR_WEBEID_NATIVE_UNAVAILABLE";
+    ErrorCode["ERR_WEBEID_UNKNOWN_ERROR"] = "ERR_WEBEID_UNKNOWN_ERROR";
+    ErrorCode["ERR_WEBEID_CONTEXT_INSECURE"] = "ERR_WEBEID_CONTEXT_INSECURE";
+    ErrorCode["ERR_WEBEID_PROTOCOL_INSECURE"] = "ERR_WEBEID_PROTOCOL_INSECURE";
+    ErrorCode["ERR_WEBEID_TLS_CONNECTION_BROKEN"] = "ERR_WEBEID_TLS_CONNECTION_BROKEN";
+    ErrorCode["ERR_WEBEID_TLS_CONNECTION_INSECURE"] = "ERR_WEBEID_TLS_CONNECTION_INSECURE";
+    ErrorCode["ERR_WEBEID_TLS_CONNECTION_WEAK"] = "ERR_WEBEID_TLS_CONNECTION_WEAK";
+    ErrorCode["ERR_WEBEID_CERTIFICATE_CHANGED"] = "ERR_WEBEID_CERTIFICATE_CHANGED";
+    ErrorCode["ERR_WEBEID_ORIGIN_MISMATCH"] = "ERR_WEBEID_ORIGIN_MISMATCH";
+    ErrorCode["ERR_WEBEID_SERVER_REJECTED"] = "ERR_WEBEID_SERVER_REJECTED";
+    ErrorCode["ERR_WEBEID_USER_CANCELLED"] = "ERR_WEBEID_USER_CANCELLED";
+    ErrorCode["ERR_WEBEID_NATIVE_INVALID_ARGUMENT"] = "ERR_WEBEID_NATIVE_INVALID_ARGUMENT";
+    ErrorCode["ERR_WEBEID_NATIVE_FATAL"] = "ERR_WEBEID_NATIVE_FATAL";
+    ErrorCode["ERR_WEBEID_ACTION_PENDING"] = "ERR_WEBEID_ACTION_PENDING";
+    ErrorCode["ERR_WEBEID_MISSING_PARAMETER"] = "ERR_WEBEID_MISSING_PARAMETER";
+})(ErrorCode || (ErrorCode = {}));
+var ErrorCode$1 = ErrorCode;
+
+class MissingParameterError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_MISSING_PARAMETER;
+    }
+}
+
+class ActionPendingError extends Error {
+    constructor(message = "same action for Web-eID browser extension is already pending") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_ACTION_PENDING;
+    }
+}
+
+class ActionTimeoutError extends Error {
+    constructor(message = "extension message timeout") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_ACTION_TIMEOUT;
+    }
+}
+
+const SECURE_CONTEXTS_INFO_URL = "https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts";
+class ContextInsecureError extends Error {
+    constructor(message = "Secure context required, see " + SECURE_CONTEXTS_INFO_URL) {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_CONTEXT_INSECURE;
+    }
+}
+
+class ExtensionUnavailableError extends Error {
+    constructor(message = "Web-eID extension is not available") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_EXTENSION_UNAVAILABLE;
+    }
+}
+
+var config = Object.freeze({
+    VERSION: "2.0.0",
+    EXTENSION_HANDSHAKE_TIMEOUT: 1000,
+    NATIVE_APP_HANDSHAKE_TIMEOUT: 5 * 1000,
+    DEFAULT_USER_INTERACTION_TIMEOUT: 2 * 60 * 1000,
+    MAX_EXTENSION_LOAD_DELAY: 1000,
+});
+
+class NativeFatalError extends Error {
+    constructor(message = "native application terminated with a fatal error") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_NATIVE_FATAL;
+    }
+}
+
+class NativeInvalidArgumentError extends Error {
+    constructor(message = "native application received an invalid argument") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_NATIVE_INVALID_ARGUMENT;
+    }
+}
+
+class NativeUnavailableError extends Error {
+    constructor(message = "Web-eID native application is not available") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_NATIVE_UNAVAILABLE;
+    }
+}
+
+class UnknownError extends Error {
+    constructor(message = "an unknown error occurred") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_UNKNOWN_ERROR;
+    }
+}
+
+class UserCancelledError extends Error {
+    constructor(message = "request was cancelled by the user") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_USER_CANCELLED;
+    }
+}
+
+class UserTimeoutError extends Error {
+    constructor(message = "user failed to respond in time") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_USER_TIMEOUT;
+    }
+}
+
+class VersionInvalidError extends Error {
+    constructor(message = "invalid version string") {
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_VERSION_INVALID;
+    }
+}
+
+function tmpl(strings, requiresUpdate) {
+    return `Update required for Web-eID ${requiresUpdate}`;
+}
+class VersionMismatchError extends Error {
+    constructor(message, versions, requiresUpdate) {
+        if (!message) {
+            if (!requiresUpdate) {
+                message = "requiresUpdate not provided";
+            }
+            else if (requiresUpdate.extension && requiresUpdate.nativeApp) {
+                message = tmpl `${"extension and native app"}`;
+            }
+            else if (requiresUpdate.extension) {
+                message = tmpl `${"extension"}`;
+            }
+            else if (requiresUpdate.nativeApp) {
+                message = tmpl `${"native app"}`;
+            }
+        }
+        super(message);
+        this.name = this.constructor.name;
+        this.code = ErrorCode$1.ERR_WEBEID_VERSION_MISMATCH;
+        this.requiresUpdate = requiresUpdate;
+        if (versions) {
+            const { library, extension, nativeApp } = versions;
+            Object.assign(this, { library, extension, nativeApp });
+        }
+    }
+}
+
+const errorCodeToErrorClass = {
+    [ErrorCode$1.ERR_WEBEID_ACTION_PENDING]: ActionPendingError,
+    [ErrorCode$1.ERR_WEBEID_ACTION_TIMEOUT]: ActionTimeoutError,
+    [ErrorCode$1.ERR_WEBEID_CONTEXT_INSECURE]: ContextInsecureError,
+    [ErrorCode$1.ERR_WEBEID_EXTENSION_UNAVAILABLE]: ExtensionUnavailableError,
+    [ErrorCode$1.ERR_WEBEID_NATIVE_INVALID_ARGUMENT]: NativeInvalidArgumentError,
+    [ErrorCode$1.ERR_WEBEID_NATIVE_FATAL]: NativeFatalError,
+    [ErrorCode$1.ERR_WEBEID_NATIVE_UNAVAILABLE]: NativeUnavailableError,
+    [ErrorCode$1.ERR_WEBEID_USER_CANCELLED]: UserCancelledError,
+    [ErrorCode$1.ERR_WEBEID_USER_TIMEOUT]: UserTimeoutError,
+    [ErrorCode$1.ERR_WEBEID_VERSION_INVALID]: VersionInvalidError,
+    [ErrorCode$1.ERR_WEBEID_VERSION_MISMATCH]: VersionMismatchError,
+};
+function deserializeError(errorObject) {
+    let error;
+    if (typeof errorObject.code == "string" && errorObject.code in errorCodeToErrorClass) {
+        const CustomError = errorCodeToErrorClass[errorObject.code];
+        error = new CustomError();
+    }
+    else {
+        error = new UnknownError();
+    }
+    for (const [key, value] of Object.entries(errorObject)) {
+        error[key] = value;
+    }
+    return error;
+}
+
+class WebExtensionService {
+    constructor() {
+        this.loggedWarnings = [];
+        this.queue = [];
+        window.addEventListener("message", (event) => this.receive(event));
+    }
+    receive(event) {
+        var _a, _b, _c, _d, _e, _f;
+        if (!/^web-eid:/.test((_a = event.data) === null || _a === void 0 ? void 0 : _a.action))
+            return;
+        const message = event.data;
+        const suffix = (_c = (_b = message.action) === null || _b === void 0 ? void 0 : _b.match(/success$|failure$|ack$/)) === null || _c === void 0 ? void 0 : _c[0];
+        const initialAction = this.getInitialAction(message.action);
+        const pending = this.getPendingMessage(initialAction);
+        if (message.action === Action$1.WARNING) {
+            (_d = message.warnings) === null || _d === void 0 ? void 0 : _d.forEach((warning) => {
+                if (!this.loggedWarnings.includes(warning)) {
+                    this.loggedWarnings.push(warning);
+                    console.warn(warning);
+                }
+            });
+        }
+        else if (pending) {
+            switch (suffix) {
+                case "ack": {
+                    clearTimeout(pending.ackTimer);
+                    break;
+                }
+                case "success": {
+                    this.removeFromQueue(initialAction);
+                    (_e = pending.resolve) === null || _e === void 0 ? void 0 : _e.call(pending, message);
+                    break;
+                }
+                case "failure": {
+                    const failureMessage = message;
+                    this.removeFromQueue(initialAction);
+                    (_f = pending.reject) === null || _f === void 0 ? void 0 : _f.call(pending, failureMessage.error ? deserializeError(failureMessage.error) : failureMessage);
+                    break;
+                }
+            }
+        }
+    }
+    send(message, timeout) {
+        if (this.getPendingMessage(message.action)) {
+            return Promise.reject(new ActionPendingError());
+        }
+        else if (!window.isSecureContext) {
+            return Promise.reject(new ContextInsecureError());
+        }
+        else {
+            const pending = { message };
+            this.queue.push(pending);
+            pending.promise = new Promise((resolve, reject) => {
+                pending.resolve = resolve;
+                pending.reject = reject;
+            });
+            pending.ackTimer = window.setTimeout(() => this.onAckTimeout(pending), config.EXTENSION_HANDSHAKE_TIMEOUT);
+            pending.replyTimer = window.setTimeout(() => this.onReplyTimeout(pending), timeout);
+            window.postMessage(message, "*");
+            return pending.promise;
+        }
+    }
+    onReplyTimeout(pending) {
+        var _a;
+        this.removeFromQueue(pending.message.action);
+        (_a = pending.reject) === null || _a === void 0 ? void 0 : _a.call(pending, new ActionTimeoutError());
+    }
+    onAckTimeout(pending) {
+        var _a;
+        clearTimeout(pending.replyTimer);
+        this.removeFromQueue(pending.message.action);
+        (_a = pending.reject) === null || _a === void 0 ? void 0 : _a.call(pending, new ExtensionUnavailableError());
+    }
+    getPendingMessage(action) {
+        return this.queue.find((pm) => {
+            return pm.message.action === action;
+        });
+    }
+    getInitialAction(action) {
+        return action.replace(/-success$|-failure$|-ack$/, "");
+    }
+    removeFromQueue(action) {
+        const pending = this.getPendingMessage(action);
+        clearTimeout(pending === null || pending === void 0 ? void 0 : pending.replyTimer);
+        this.queue = this.queue.filter((pending) => (pending.message.action !== action));
+    }
+}
+
+/**
+ * Sleeps for a specified time before resolving the returned promise.
+ *
+ * @param milliseconds Time in milliseconds until the promise is resolved
+ *
+ * @returns Empty promise
+ */
+function sleep(milliseconds) {
+    return new Promise((resolve) => {
+        setTimeout(() => resolve(), milliseconds);
+    });
+}
+
+const webExtensionService = new WebExtensionService();
+const initializationTime = +new Date();
+async function extensionLoadDelay() {
+    const now = +new Date();
+    await sleep(initializationTime + config.MAX_EXTENSION_LOAD_DELAY - now);
+}
+async function status() {
+    await extensionLoadDelay();
+    const timeout = config.EXTENSION_HANDSHAKE_TIMEOUT + config.NATIVE_APP_HANDSHAKE_TIMEOUT;
+    const message = {
+        action: Action$1.STATUS,
+        libraryVersion: config.VERSION,
+    };
+    try {
+        const { library, extension, nativeApp, } = await webExtensionService.send(message, timeout);
+        return {
+            library,
+            extension,
+            nativeApp,
+        };
+    }
+    catch (error) {
+        error.library = config.VERSION;
+        throw error;
+    }
+}
+async function authenticate(challengeNonce, options) {
+    await extensionLoadDelay();
+    if (!challengeNonce) {
+        throw new MissingParameterError("authenticate function requires a challengeNonce");
+    }
+    const timeout = (config.EXTENSION_HANDSHAKE_TIMEOUT +
+        config.NATIVE_APP_HANDSHAKE_TIMEOUT +
+        ((options === null || options === void 0 ? void 0 : options.userInteractionTimeout) || config.DEFAULT_USER_INTERACTION_TIMEOUT));
+    const message = {
+        action: Action$1.AUTHENTICATE,
+        libraryVersion: config.VERSION,
+        challengeNonce,
+        options,
+    };
+    const { unverifiedCertificate, algorithm, signature, format, appVersion, } = await webExtensionService.send(message, timeout);
+    return {
+        unverifiedCertificate,
+        algorithm,
+        signature,
+        format,
+        appVersion,
+    };
+}
+async function getSigningCertificate(options) {
+    await extensionLoadDelay();
+    const timeout = (config.EXTENSION_HANDSHAKE_TIMEOUT +
+        config.NATIVE_APP_HANDSHAKE_TIMEOUT +
+        ((options === null || options === void 0 ? void 0 : options.userInteractionTimeout) || config.DEFAULT_USER_INTERACTION_TIMEOUT) * 2);
+    const message = {
+        action: Action$1.GET_SIGNING_CERTIFICATE,
+        libraryVersion: config.VERSION,
+        options,
+    };
+    const { certificate, supportedSignatureAlgorithms, } = await webExtensionService.send(message, timeout);
+    return {
+        certificate,
+        supportedSignatureAlgorithms,
+    };
+}
+async function sign(certificate, hash, hashFunction, options) {
+    await extensionLoadDelay();
+    if (!certificate) {
+        throw new MissingParameterError("sign function requires a certificate as parameter");
+    }
+    if (!hash) {
+        throw new MissingParameterError("sign function requires a hash as parameter");
+    }
+    if (!hashFunction) {
+        throw new MissingParameterError("sign function requires a hashFunction as parameter");
+    }
+    const timeout = (config.EXTENSION_HANDSHAKE_TIMEOUT +
+        config.NATIVE_APP_HANDSHAKE_TIMEOUT +
+        ((options === null || options === void 0 ? void 0 : options.userInteractionTimeout) || config.DEFAULT_USER_INTERACTION_TIMEOUT) * 2);
+    const message = {
+        action: Action$1.SIGN,
+        libraryVersion: config.VERSION,
+        certificate,
+        hash,
+        hashFunction,
+        options,
+    };
+    const { signature, signatureAlgorithm, } = await webExtensionService.send(message, timeout);
+    return {
+        signature,
+        signatureAlgorithm,
+    };
+}
+
+export { Action$1 as Action, ErrorCode$1 as ErrorCode, authenticate, config, getSigningCertificate, sign, status };
diff --git a/example/src/main/resources/templates/index.html b/example/src/main/resources/templates/index.html
index 1ec14a4..a3e4cbf 100644
--- a/example/src/main/resources/templates/index.html
+++ b/example/src/main/resources/templates/index.html
@@ -53,18 +53,18 @@ <h3><a id="usage"></a>Usage</h3>
                     Download and run the Web eID native app and browser extension installer:
                     <ul>
                         <li>on <b>Ubuntu Linux</b> 20.04, for Firefox and Chrome from <a
-                                href="https://installer.id.ee/media/web-eid/web-eid_1.0.0.521-2004_amd64.deb">here</a>,
+                                href="https://installer.id.ee/media/web-eid/web-eid_2.0.0.555-2110_all.deb">here</a>,
                             install it with either the Ubuntu Software Center or from the console with<br>
                             <code>sudo apt install ./web-eid_[version].deb</code>
                         </li>
                         <li>on <b>macOS</b> 10.15 or later, for Firefox and Chrome from <a
-                                href="https://installer.id.ee/media/web-eid/web-eid_1.0.0.525.dmg">here</a>,
+                                href="https://installer.id.ee/media/web-eid/web-eid_2.0.0.556.dmg">here</a>,
                         </li>
                         <li>on <b>macOS</b> 10.15 or later, for Safari, install the extension from <a
                                 href="https://apps.apple.com/ee/app/web-eid/id1576665083?mt=12">App Store</a>,
                         </li>
                         <li>on <b>Windows</b> 10 (64-bit), for Firefox, Chrome and Edge from <a
-                                href="https://installer.id.ee/media/web-eid/web-eid_1.0.0.527.exe">here</a>.
+                                href="https://installer.id.ee/media/web-eid/web-eid_2.0.0.552.exe">here</a>.
                         </li>
                     </ul>
                 </li>
@@ -132,7 +132,9 @@ <h4>Debugging and logs</h4>
                             <code>&nbsp;&nbsp;"$HOME/Library/Containers/eu.web-eid.web-eid/Data/Library/Preferences/eu.web-eid.web-eid.plist"
                                 \</code><br>
                             <code>&nbsp;&nbsp;logging true</code><br>
-                            <code>defaults write "$HOME/Library/Containers/eu.web-eid.web-eid-safari/Data/Library/Preferences/eu.web-eid.web-eid-safari.plist" \</code><br>
+                            <code>defaults write
+                                "$HOME/Library/Containers/eu.web-eid.web-eid-safari/Data/Library/Preferences/eu.web-eid.web-eid-safari.plist"
+                                \</code><br>
                             <code>&nbsp;&nbsp;logging true</code><br>
                         </li>
                         <li>in Windows, add the following registry key:<br>
@@ -149,7 +151,7 @@ <h4>Debugging and logs</h4>
                             Support/RIA/web-eid/web-eid.log</code> in macOS
                         </li>
                         <li><code>~/Library/Containers/eu.web-eid.web-eid-safari/Data/Library/Application\
-                           Support/RIA/web-eid-safari/web-eid-safari.log</code> of Safari in macOS
+                            Support/RIA/web-eid-safari/web-eid-safari.log</code> of Safari in macOS
                         </li>
                         <li>
                             <code>C:/Users/&lt;USER&gt;/AppData/Local/RIA/web-eid/web-eid.log</code> in Windows.
@@ -162,7 +164,7 @@ <h4>Debugging and logs</h4>
             <h3><a id="documentation"></a>Documentation</h3>
             <p>
                 Technical overview of the solution is available in the project
-                <a href="https://github.com/open-eid/browser-extensions2">system architecture document</a>.
+                <a href="https://github.com/web-eid/web-eid-system-architecture-doc">system architecture document</a>.
                 Overview of authentication token validation implementation in the back end is available in the
                 <i>web-eid-authtoken-validation-java</i> Java library
                 <a href="https://github.com/web-eid/web-eid-authtoken-validation-java#authentication-token-validation">README</a>.
@@ -212,8 +214,8 @@ <h3><a id="for-developers"></a>For developers</h3>
 
 <script type="module">
     "use strict";
-    import * as webeid from "/js/web-eid-1.0.1.js";
-    import {hideErrorMessage, showErrorMessage} from "/js/error-message.js";
+    import * as webeid from "/js/web-eid.js";
+    import {hideErrorMessage, showErrorMessage, checkHttpError} from "/js/errors.js";
 
     hideErrorMessage();
 
@@ -222,23 +224,39 @@ <h3><a id="for-developers"></a>For developers</h3>
     const csrfToken = document.querySelector('#csrftoken').content;
     const csrfHeaderName = document.querySelector('#csrfheadername').content;
 
-    authButton.addEventListener("click", async () => {
-        const options = {
-            getAuthChallengeUrl: window.location.origin + "/auth/challenge",
-            postAuthTokenUrl: window.location.origin + "/auth/login",
-            headers: {
-                [csrfHeaderName]: csrfToken
-            }
-        };
+    const lang = new URLSearchParams(window.location.search).get("lang") || "en";
 
+    authButton.addEventListener("click", async () => {
         hideErrorMessage();
         authButton.disabled = true;
 
         try {
-            const response = await webeid.authenticate(options);
+            const challengeResponse = await fetch("/auth/challenge", {
+                method: "GET",
+                headers: {
+                    'Content-Type': 'application/json'
+                }
+            });
+            await checkHttpError(challengeResponse);
+            const {nonce} = await challengeResponse.json();
+
+            const authToken = await webeid.authenticate(nonce, {lang});
+
+            const authTokenResponse = await fetch("/auth/login", {
+                method: "POST",
+                headers: {
+                    'Content-Type': 'application/json',
+                    [csrfHeaderName]: csrfToken
+                },
+                body: `{"auth-token": ${JSON.stringify(authToken)}}`
+            });
+            await checkHttpError(authTokenResponse);
+            const authTokenResult = await authTokenResponse.json();
+
+            console.log("Authentication successful! Result:", authTokenResult);
 
-            console.log("Authentication successful! Response:", response);
             window.location.href = "/welcome";
+
         } catch (error) {
             showErrorMessage(error);
             throw error;
@@ -252,6 +270,7 @@ <h3><a id="for-developers"></a>For developers</h3>
             document.querySelector(".eu-logo-fixed").style.display = 'none'
         }, 7000)
     });
+    //# sourceURL=index.js
 </script>
 </body>
 </html>
diff --git a/example/src/main/resources/templates/welcome-with-file-upload-support.html b/example/src/main/resources/templates/welcome-with-file-upload-support.html
index ed815e6..f13ab58 100644
--- a/example/src/main/resources/templates/welcome-with-file-upload-support.html
+++ b/example/src/main/resources/templates/welcome-with-file-upload-support.html
@@ -37,8 +37,8 @@ <h2 class="adding-signature">Sign a document</h2>
 
         <script type="module">
             "use strict";
-            import * as webeid from "/js/web-eid-1.0.1.js";
-            import { hideErrorMessage, showErrorMessage } from "/js/error-message.js";
+            import * as webeid from "/js/web-eid.js";
+            import { hideErrorMessage, showErrorMessage } from "/js/errors.js";
 
             const signButton = document.querySelector("#webeid-sign-button");
             const downloadButton = document.querySelector("#webeid-download-button");
diff --git a/example/src/main/resources/templates/welcome.html b/example/src/main/resources/templates/welcome.html
index eeb07ec..83d93cc 100644
--- a/example/src/main/resources/templates/welcome.html
+++ b/example/src/main/resources/templates/welcome.html
@@ -50,8 +50,8 @@ <h2 class="adding-signature">Digital signing</h2>
 
 <script type="module">
     "use strict";
-    import * as webeid from "/js/web-eid-1.0.1.js";
-    import {hideErrorMessage, showErrorMessage} from "/js/error-message.js";
+    import * as webeid from "/js/web-eid.js";
+    import {hideErrorMessage, showErrorMessage, checkHttpError} from "/js/errors.js";
 
     const signButton = document.querySelector("#webeid-sign-button");
     const downloadButton = document.querySelector("#webeid-download-button");
@@ -71,24 +71,52 @@ <h2 class="adding-signature">Digital signing</h2>
     const csrfToken = document.querySelector('#csrftoken').content;
     const csrfHeaderName = document.querySelector('#csrfheadername').content;
 
-    signButton.addEventListener("click", async () => {
-        const options = {
-            postPrepareSigningUrl: window.location.origin + "/sign/prepare",
-            postFinalizeSigningUrl: window.location.origin + "/sign/sign",
-            headers: {
-                [csrfHeaderName]: csrfToken
-            }
-        };
+    const lang = new URLSearchParams(window.location.search).get("lang") || "en";
 
+    signButton.addEventListener("click", async () => {
         hideErrorMessage();
         signButton.disabled = true;
 
         try {
-            const response = await webeid.sign(options);
+            const {
+                certificate,
+                supportedSignatureAlgorithms,
+            } = await webeid.getSigningCertificate({lang});
+
+            const prepareSigningResponse = await fetch("/sign/prepare", {
+                method: "POST",
+                headers: {
+                    'Content-Type': 'application/json',
+                    [csrfHeaderName]: csrfToken
+                },
+                body: JSON.stringify({certificate, supportedSignatureAlgorithms}),
+            });
+            await checkHttpError(prepareSigningResponse);
+            const {
+                hash,
+                hashFunction
+            } = await prepareSigningResponse.json();
+
+            const {
+                signatureAlgorithm,
+                signature,
+            } = await webeid.sign(certificate, hash, hashFunction, {lang});
+
+            const finalizeSigningResponse = await fetch("/sign/sign", {
+                method: "POST",
+                headers: {
+                    'Content-Type': 'application/json',
+                    [csrfHeaderName]: csrfToken
+                },
+                body: JSON.stringify({signature, signatureAlgorithm}),
+            });
+            await checkHttpError(finalizeSigningResponse);
+            const signResult = await finalizeSigningResponse.json();
+
             signButton.setAttribute("style", "display: none;");
             exampleDocument.setAttribute("style", "display: none;");
             downloadButton.removeAttribute("style");
-            fileNameText.textContent = "Signature added: " + response.body.name;
+            fileNameText.textContent = "Signature added: " + signResult.name;
         } catch (error) {
             showErrorMessage(error);
             throw error;
diff --git a/example/src/test/java/org/webeid/example/AuthenticationRestControllerTest.java b/example/src/test/java/eu/webeid/example/AuthenticationRestControllerTest.java
similarity index 91%
rename from example/src/test/java/org/webeid/example/AuthenticationRestControllerTest.java
rename to example/src/test/java/eu/webeid/example/AuthenticationRestControllerTest.java
index 71aca17..74bf6b5 100644
--- a/example/src/test/java/org/webeid/example/AuthenticationRestControllerTest.java
+++ b/example/src/test/java/eu/webeid/example/AuthenticationRestControllerTest.java
@@ -20,15 +20,15 @@
  * SOFTWARE.
  */
 
-package org.webeid.example;
+package eu.webeid.example;
 
 import org.junit.jupiter.api.Test;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.context.SpringBootTest;
-import org.webeid.example.web.rest.ChallengeController;
+import eu.webeid.example.web.rest.ChallengeController;
 
 import static org.assertj.core.api.Assertions.assertThat;
-import static org.webeid.security.nonce.NonceGenerator.NONCE_LENGTH;
+import static eu.webeid.security.challenge.ChallengeNonceGenerator.NONCE_LENGTH;
 
 @SpringBootTest
 class AuthenticationRestControllerTest {
diff --git a/example/src/test/java/org/webeid/example/DateMockingTest.java b/example/src/test/java/eu/webeid/example/DateMockingTest.java
similarity index 95%
rename from example/src/test/java/org/webeid/example/DateMockingTest.java
rename to example/src/test/java/eu/webeid/example/DateMockingTest.java
index 8dfa6d0..75513a9 100644
--- a/example/src/test/java/org/webeid/example/DateMockingTest.java
+++ b/example/src/test/java/eu/webeid/example/DateMockingTest.java
@@ -20,10 +20,10 @@
  * SOFTWARE.
  */
 
-package org.webeid.example;
+package eu.webeid.example;
 
+import eu.webeid.example.testutil.Dates;
 import org.junit.jupiter.api.Test;
-import org.webeid.example.testutil.Dates;
 
 import java.text.ParseException;
 import java.util.Date;
diff --git a/example/src/test/java/org/webeid/example/WebApplicationTest.java b/example/src/test/java/eu/webeid/example/WebApplicationTest.java
similarity index 83%
rename from example/src/test/java/org/webeid/example/WebApplicationTest.java
rename to example/src/test/java/eu/webeid/example/WebApplicationTest.java
index 0add119..fdb267e 100644
--- a/example/src/test/java/org/webeid/example/WebApplicationTest.java
+++ b/example/src/test/java/eu/webeid/example/WebApplicationTest.java
@@ -20,8 +20,11 @@
  * SOFTWARE.
  */
 
-package org.webeid.example;
+package eu.webeid.example;
 
+import eu.webeid.example.testutil.Dates;
+import eu.webeid.example.testutil.HttpHelper;
+import eu.webeid.example.testutil.ObjectMother;
 import mockit.Mock;
 import mockit.MockUp;
 import org.digidoc4j.impl.asic.AsicSignatureFinalizer;
@@ -37,16 +40,12 @@
 import org.springframework.test.web.servlet.setup.DefaultMockMvcBuilder;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 import org.springframework.web.context.WebApplicationContext;
-import org.webeid.example.service.dto.DigestDTO;
-import org.webeid.example.testutil.Dates;
-import org.webeid.example.testutil.HttpHelper;
-import org.webeid.example.testutil.ObjectMother;
-import org.webeid.security.util.UtcDateTime;
-import org.webeid.security.validator.AuthTokenValidatorData;
-import org.webeid.security.validator.validators.SubjectCertificateNotRevokedValidator;
+import eu.webeid.example.service.dto.DigestDTO;
+import eu.webeid.security.challenge.ChallengeNonce;
+import eu.webeid.security.util.DateAndTime;
+import eu.webeid.security.validator.certvalidators.SubjectCertificateNotRevokedValidator;
 
-import javax.cache.Cache;
-import java.time.ZonedDateTime;
+import java.security.cert.X509Certificate;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
@@ -55,16 +54,12 @@
 @WebAppConfiguration
 public class WebApplicationTest {
 
-    @Autowired
-    Cache<String, ZonedDateTime> cache;
-
     @Autowired
     private WebApplicationContext context;
 
     @Autowired
     private javax.servlet.Filter[] springSecurityFilterChain;
 
-    private static final String TEST_NONCE = "a/wAFpMaXojLIaEmeOvviRNoBVqHBM/Mm9JV28ZcaIo=";
     private static DefaultMockMvcBuilder mvcBuilder;
 
     @BeforeEach
@@ -91,7 +86,7 @@ public void testHappyFlow_LoginPrepareSignDownload() throws Exception {
         // Arrange
         new MockUp<SubjectCertificateNotRevokedValidator>() {
             @Mock
-            public void validateCertificateNotRevoked(AuthTokenValidatorData actualTokenData) {
+            public void validateCertificateNotRevoked(X509Certificate subjectCertificate) {
                 // Do not call real OCSP service in tests.
             }
         };
@@ -103,9 +98,8 @@ public void validateOcspResponse(XadesSignature xadesSignature) {
             }
         };
 
-        cache.put(TEST_NONCE, UtcDateTime.now().plusMinutes(5));
-
         final MockHttpSession session = new MockHttpSession();
+        session.setAttribute("challenge-nonce", new ChallengeNonce(ObjectMother.VALID_CHALLENGE_NONCE, DateAndTime.utcNow().plusMinutes(1)));
 
         Dates.setMockedDate(Dates.create("2020-04-14T13:36:49Z"));
 
@@ -116,8 +110,11 @@ public void validateOcspResponse(XadesSignature xadesSignature) {
         assertEquals("{\"sub\":\"JAAK-KRISTJAN JÕEORG\",\"auth\":[\"ROLE_USER\"]}", response.getContentAsString());
 
         /* Example how to test file upload.
-        response = HttpHelper.upload(mvcBuilder, session, ObjectMother.mockMultipartFile());
+        response = HttpHelper.upload(mvcBuilder, session, mockMultipartFile());
         assertEquals(HttpStatus.OK.value(), response.getStatus());
+        public static MockMultipartFile mockMultipartFile() {
+            return new MockMultipartFile("file", "test-file.txt", "text/plain", "some xml".getBytes());
+        }
         */
 
         response = HttpHelper.prepare(mvcBuilder, session, ObjectMother.mockPrepareRequest());
diff --git a/example/src/test/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilterTest.java b/example/src/test/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilterTest.java
new file mode 100644
index 0000000..0640a4d
--- /dev/null
+++ b/example/src/test/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilterTest.java
@@ -0,0 +1,39 @@
+package eu.webeid.example.security;
+
+import org.junit.jupiter.api.Test;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.authentication.AuthenticationManager;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.BufferedReader;
+import java.io.StringReader;
+
+import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+class WebEidAjaxLoginProcessingFilterTest {
+
+    private static final String AUTH_TOKEN = "{\"auth-token\":" +
+            "{\"algorithm\":\"ES384\"," +
+            "\"certificate\":\"MIIEAzCCA2WgAwIBAgIQHWbVWxCkcYxbzz9nBzGrDzAKBggqhkjOPQQDBDBgMQswCQYDVQQGEwJFRTEbMBkGA1UECgwSU0sgSUQgU29sdXRpb25zIEFTMRcwFQYDVQRhDA5OVFJFRS0xMDc0NzAxMzEbMBkGA1UEAwwSVEVTVCBvZiBFU1RFSUQyMDE4MB4XDTE4MTAyMzE1MzM1OVoXDTIzMTAyMjIxNTk1OVowfzELMAkGA1UEBhMCRUUxKjAoBgNVBAMMIUrDlUVPUkcsSkFBSy1LUklTVEpBTiwzODAwMTA4NTcxODEQMA4GA1UEBAwHSsOVRU9SRzEWMBQGA1UEKgwNSkFBSy1LUklTVEpBTjEaMBgGA1UEBRMRUE5PRUUtMzgwMDEwODU3MTgwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQ/u+9IncarVpgrACN6aRgUiT9lWC9H7llnxoEXe8xoCI982Md8YuJsVfRdeG5jwVfXe0N6KkHLFRARspst8qnACULkqFNat/Kj+XRwJ2UANeJ3Gl5XBr+tnLNuDf/UiR6jggHDMIIBvzAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIDiDBHBgNVHSAEQDA+MDIGCysGAQQBg5EhAQIBMCMwIQYIKwYBBQUHAgEWFWh0dHBzOi8vd3d3LnNrLmVlL0NQUzAIBgYEAI96AQIwHwYDVR0RBBgwFoEUMzgwMDEwODU3MThAZWVzdGkuZWUwHQYDVR0OBBYEFOTddHnA9rJtbLwhBNyn0xZTQGCMMGEGCCsGAQUFBwEDBFUwUzBRBgYEAI5GAQUwRzBFFj9odHRwczovL3NrLmVlL2VuL3JlcG9zaXRvcnkvY29uZGl0aW9ucy1mb3ItdXNlLW9mLWNlcnRpZmljYXRlcy8TAkVOMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAfBgNVHSMEGDAWgBTAhJkpxE6fOwI09pnhClYACCk+ezBzBggrBgEFBQcBAQRnMGUwLAYIKwYBBQUHMAGGIGh0dHA6Ly9haWEuZGVtby5zay5lZS9lc3RlaWQyMDE4MDUGCCsGAQUFBzAChilodHRwOi8vYy5zay5lZS9UZXN0X29mX0VTVEVJRDIwMTguZGVyLmNydDAKBggqhkjOPQQDBAOBiwAwgYcCQgHYElkX4vn821JR41akI/lpexCnJFUf4GiOMbTfzAxpZma333R8LNrmI4zbzDp03hvMTzH49g1jcbGnaCcbboS8DAJBObenUp++L5VqldHwKAps61nM4V+TiLqD0jILnTzl+pV+LexNL3uGzUfvvDNLHnF9t6ygi8+Bsjsu3iHHyM1haKM=\"," +
+            "\"issuerApp\":\"https://web-eid.eu/web-eid-app/releases/2.0.0+976\"," +
+            "\"signature\":\"Z+r6IIx0lmXNTHrlJOTknVaOYszXba5ko1e8rjWJXd4nzIVsxeTps/Revg+tuKREkkIuIKhwvOnARdWV6vBmhjlpRUZn9aNPSDRP98T/0sPZgDp31hwsWfCAYnPzzYC9\"," +
+            "\"version\":\"web-eid:1\"}}";
+
+    @Test
+    void testAttemptAuthentication() throws Exception {
+        final HttpServletRequest request = mock(HttpServletRequest.class);
+        final HttpServletResponse response = mock(HttpServletResponse.class);
+        when(request.getMethod()).thenReturn(HttpMethod.POST.name());
+        when(request.getHeader("Content-type")).thenReturn("application/json");
+        when(request.getReader()).thenReturn(new BufferedReader(new StringReader(AUTH_TOKEN)));
+
+        final AuthenticationManager authenticationManager = mock(AuthenticationManager.class);
+
+        assertDoesNotThrow(() ->
+                new WebEidAjaxLoginProcessingFilter("/auth/login", authenticationManager)
+                        .attemptAuthentication(request, response));
+    }
+}
\ No newline at end of file
diff --git a/example/src/test/java/org/webeid/example/testutil/Dates.java b/example/src/test/java/eu/webeid/example/testutil/Dates.java
similarity index 97%
rename from example/src/test/java/org/webeid/example/testutil/Dates.java
rename to example/src/test/java/eu/webeid/example/testutil/Dates.java
index 3b43c8c..152a9ff 100644
--- a/example/src/test/java/org/webeid/example/testutil/Dates.java
+++ b/example/src/test/java/eu/webeid/example/testutil/Dates.java
@@ -20,7 +20,7 @@
  * SOFTWARE.
  */
 
-package org.webeid.example.testutil;
+package eu.webeid.example.testutil;
 
 import com.fasterxml.jackson.databind.util.StdDateFormat;
 import mockit.Mock;
diff --git a/example/src/test/java/org/webeid/example/testutil/HttpHelper.java b/example/src/test/java/eu/webeid/example/testutil/HttpHelper.java
similarity index 95%
rename from example/src/test/java/org/webeid/example/testutil/HttpHelper.java
rename to example/src/test/java/eu/webeid/example/testutil/HttpHelper.java
index 4becbd7..fc4f801 100644
--- a/example/src/test/java/org/webeid/example/testutil/HttpHelper.java
+++ b/example/src/test/java/eu/webeid/example/testutil/HttpHelper.java
@@ -20,7 +20,7 @@
  * SOFTWARE.
  */
 
-package org.webeid.example.testutil;
+package eu.webeid.example.testutil;
 
 import org.springframework.http.MediaType;
 import org.springframework.mock.web.MockHttpServletResponse;
@@ -28,9 +28,9 @@
 import org.springframework.mock.web.MockMultipartFile;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 import org.springframework.test.web.servlet.setup.DefaultMockMvcBuilder;
-import org.webeid.example.security.dto.AuthTokenDTO;
-import org.webeid.example.service.dto.CertificateDTO;
-import org.webeid.example.service.dto.SignatureDTO;
+import eu.webeid.example.security.dto.AuthTokenDTO;
+import eu.webeid.example.service.dto.CertificateDTO;
+import eu.webeid.example.service.dto.SignatureDTO;
 
 import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
diff --git a/example/src/test/java/org/webeid/example/testutil/ObjectMother.java b/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java
similarity index 61%
rename from example/src/test/java/org/webeid/example/testutil/ObjectMother.java
rename to example/src/test/java/eu/webeid/example/testutil/ObjectMother.java
index 678b576..5d4b081 100644
--- a/example/src/test/java/org/webeid/example/testutil/ObjectMother.java
+++ b/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java
@@ -20,17 +20,17 @@
  * SOFTWARE.
  */
 
-package org.webeid.example.testutil;
+package eu.webeid.example.testutil;
 
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import eu.webeid.security.authtoken.WebEidAuthToken;
 import org.apache.commons.lang3.ArrayUtils;
 import org.digidoc4j.DigestAlgorithm;
 import org.digidoc4j.exceptions.DigiDoc4JException;
-import org.springframework.mock.web.MockMultipartFile;
-import org.webeid.example.security.dto.AuthTokenDTO;
-import org.webeid.example.service.dto.CertificateDTO;
-import org.webeid.example.service.dto.SignatureDTO;
+import eu.webeid.example.security.dto.AuthTokenDTO;
+import eu.webeid.example.service.dto.CertificateDTO;
+import eu.webeid.example.service.dto.SignatureDTO;
 
 import javax.xml.bind.DatatypeConverter;
 import java.io.FileInputStream;
@@ -42,23 +42,35 @@
 
 public class ObjectMother {
 
-    public static final String TEST_PKI_CONTAINER = "src/test/resources/signout.p12";
-    public static final String TEST_PKI_CONTAINER_PASSWORD = "test";
-    private static final ObjectMapper mapper = new ObjectMapper();
+    private static final ObjectMapper MAPPER = new ObjectMapper();
+    private static final String TEST_PKI_CONTAINER = "src/test/resources/signout.p12";
+    private static final String TEST_PKI_CONTAINER_PASSWORD = "test";
+    private static final WebEidAuthToken VALID_AUTH_TOKEN;
 
-    public static AuthTokenDTO mockAuthToken() throws JsonProcessingException {
+    static {
+        try {
+            VALID_AUTH_TOKEN = MAPPER.readValue(
+                    "{\"algorithm\":\"ES384\"," +
+                            "\"unverifiedCertificate\":\"MIIEAzCCA2WgAwIBAgIQHWbVWxCkcYxbzz9nBzGrDzAKBggqhkjOPQQDBDBgMQswCQYDVQQGEwJFRTEbMBkGA1UECgwSU0sgSUQgU29sdXRpb25zIEFTMRcwFQYDVQRhDA5OVFJFRS0xMDc0NzAxMzEbMBkGA1UEAwwSVEVTVCBvZiBFU1RFSUQyMDE4MB4XDTE4MTAyMzE1MzM1OVoXDTIzMTAyMjIxNTk1OVowfzELMAkGA1UEBhMCRUUxKjAoBgNVBAMMIUrDlUVPUkcsSkFBSy1LUklTVEpBTiwzODAwMTA4NTcxODEQMA4GA1UEBAwHSsOVRU9SRzEWMBQGA1UEKgwNSkFBSy1LUklTVEpBTjEaMBgGA1UEBRMRUE5PRUUtMzgwMDEwODU3MTgwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQ/u+9IncarVpgrACN6aRgUiT9lWC9H7llnxoEXe8xoCI982Md8YuJsVfRdeG5jwVfXe0N6KkHLFRARspst8qnACULkqFNat/Kj+XRwJ2UANeJ3Gl5XBr+tnLNuDf/UiR6jggHDMIIBvzAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIDiDBHBgNVHSAEQDA+MDIGCysGAQQBg5EhAQIBMCMwIQYIKwYBBQUHAgEWFWh0dHBzOi8vd3d3LnNrLmVlL0NQUzAIBgYEAI96AQIwHwYDVR0RBBgwFoEUMzgwMDEwODU3MThAZWVzdGkuZWUwHQYDVR0OBBYEFOTddHnA9rJtbLwhBNyn0xZTQGCMMGEGCCsGAQUFBwEDBFUwUzBRBgYEAI5GAQUwRzBFFj9odHRwczovL3NrLmVlL2VuL3JlcG9zaXRvcnkvY29uZGl0aW9ucy1mb3ItdXNlLW9mLWNlcnRpZmljYXRlcy8TAkVOMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAfBgNVHSMEGDAWgBTAhJkpxE6fOwI09pnhClYACCk+ezBzBggrBgEFBQcBAQRnMGUwLAYIKwYBBQUHMAGGIGh0dHA6Ly9haWEuZGVtby5zay5lZS9lc3RlaWQyMDE4MDUGCCsGAQUFBzAChilodHRwOi8vYy5zay5lZS9UZXN0X29mX0VTVEVJRDIwMTguZGVyLmNydDAKBggqhkjOPQQDBAOBiwAwgYcCQgHYElkX4vn821JR41akI/lpexCnJFUf4GiOMbTfzAxpZma333R8LNrmI4zbzDp03hvMTzH49g1jcbGnaCcbboS8DAJBObenUp++L5VqldHwKAps61nM4V+TiLqD0jILnTzl+pV+LexNL3uGzUfvvDNLHnF9t6ygi8+Bsjsu3iHHyM1haKM=\"," +
+                            "\"appVersion\":\"https://web-eid.eu/web-eid-app/releases/2.0.0+0\"," +
+                            "\"signature\":\"tbMTrZD4CKUj6atjNCHZruIeyPFAEJk2htziQ1t08BSTyA5wKKqmNmzsJ7562hWQ6+tJd6nlidHGE5jVVJRKmPtNv3f9gbT2b7RXcD4t5Pjn8eUCBCA4IX99Af32Z5ln\"," +
+                            "\"format\":\"web-eid:1\"}",
+                    WebEidAuthToken.class);
+        } catch (JsonProcessingException e) {
+            throw new RuntimeException("Token parsing failed");
+        }
+    }
+
+    public static final String VALID_CHALLENGE_NONCE = "12345678123456781234567812345678912356789123";
+
+    public static AuthTokenDTO mockAuthToken() {
         AuthTokenDTO authToken = new AuthTokenDTO();
-        authToken.setToken(Tokens.SIGNED);
+        authToken.setToken(VALID_AUTH_TOKEN);
         return authToken;
     }
 
     public static String toJson(Object object) throws JsonProcessingException {
-        return mapper.writeValueAsString(object);
-    }
-
-
-    public static MockMultipartFile mockMultipartFile() {
-        return new MockMultipartFile("file", "test-file.txt", "text/plain", "some xml".getBytes());
+        return MAPPER.writeValueAsString(object);
     }
 
     public static String mockCertificateInBase64() {
@@ -76,13 +88,13 @@ public static String mockSignatureInBase64(String digestToSign) {
     }
 
     public static <T> T jsonStringToBean(String jsonString, Class<T> valueType) throws JsonProcessingException {
-        return mapper.readValue(jsonString, valueType);
+        return MAPPER.readValue(jsonString, valueType);
     }
 
     public static CertificateDTO mockPrepareRequest() {
-        CertificateDTO certificateDTODTO = new CertificateDTO();
-        certificateDTODTO.setBase64String(mockCertificateInBase64());
-        return certificateDTODTO;
+        CertificateDTO certificateDTO = new CertificateDTO();
+        certificateDTO.setCertificate(mockCertificateInBase64());
+        return certificateDTO;
     }
 
     public static SignatureDTO mockSignRequest(String digestToSign) {
diff --git a/example/src/test/java/org/webeid/example/testutil/Tokens.java b/example/src/test/java/org/webeid/example/testutil/Tokens.java
deleted file mode 100644
index 4f213ff..0000000
--- a/example/src/test/java/org/webeid/example/testutil/Tokens.java
+++ /dev/null
@@ -1,29 +0,0 @@
-/*
- * Copyright (c) 2020 The Web eID Project
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-package org.webeid.example.testutil;
-
-public class Tokens {
-
-    public static final String SIGNED =
-        "eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlFUkRDQ0E2YWdBd0lCQWdJUWF2WS81dFg4cVZKYmNxUlBML2k4VXpBS0JnZ3Foa2pPUFFRREJEQmdNUXN3Q1FZRFZRUUdFd0pGUlRFYk1Ca0dBMVVFQ2d3U1Uwc2dTVVFnVTI5c2RYUnBiMjV6SUVGVE1SY3dGUVlEVlFSaERBNU9WRkpGUlMweE1EYzBOekF4TXpFYk1Ca0dBMVVFQXd3U1ZFVlRWQ0J2WmlCRlUxUkZTVVF5TURFNE1CNFhEVEU0TURneE5EQTVORE0wTTFvWERUSXpNRGd4TWpJeE5UazFPVm93ZnpFTE1Ba0dBMVVFQmhNQ1JVVXhLakFvQmdOVkJBTU1JVXJEbFVWUFVrY3NTa0ZCU3kxTFVrbFRWRXBCVGl3ek9EQXdNVEE0TlRjeE9ERVFNQTRHQTFVRUJBd0hTc09WUlU5U1J6RVdNQlFHQTFVRUtnd05Ta0ZCU3kxTFVrbFRWRXBCVGpFYU1CZ0dBMVVFQlJNUlVFNVBSVVV0TXpnd01ERXdPRFUzTVRnd2RqQVFCZ2NxaGtqT1BRSUJCZ1VyZ1FRQUlnTmlBQVQ4akc4RXZzVVZvbVdoUXJNZ2xkVUU3QUNKR2lERklGa295SC9YRTQ2Z040SzJqWXF1NjVETGh0ZmxOMXRuWjRLT2YyYllUeUJ5N3ZmRTVMWjFrRXpLT3FCWWgxbm10cUxQb2FYdlpxYWREVktCU3UvaUxmRm43TFZtcnFDUWwraWpnZ0lFTUlJQ0FEQUpCZ05WSFJNRUFqQUFNQTRHQTFVZER3RUIvd1FFQXdJRGlEQkhCZ05WSFNBRVFEQStNRElHQ3lzR0FRUUJnNUVoQVFJQk1DTXdJUVlJS3dZQkJRVUhBZ0VXRldoMGRIQnpPaTh2ZDNkM0xuTnJMbVZsTDBOUVV6QUlCZ1lFQUk5NkFRSXdId1lEVlIwUkJCZ3dGb0VVTXpnd01ERXdPRFUzTVRoQVpXVnpkR2t1WldVd0hRWURWUjBPQkJZRUZOaUVZRHVQRnZpb1VwcFh4QXgwSUpJSVlOUmlNR0VHQ0NzR0FRVUZCd0VEQkZVd1V6QlJCZ1lFQUk1R0FRVXdSekJGRmo5b2RIUndjem92TDNOckxtVmxMMlZ1TDNKbGNHOXphWFJ2Y25rdlkyOXVaR2wwYVc5dWN5MW1iM0l0ZFhObExXOW1MV05sY25ScFptbGpZWFJsY3k4VEFrVk9NQ0FHQTFVZEpRRUIvd1FXTUJRR0NDc0dBUVVGQndNQ0JnZ3JCZ0VGQlFjREJEQWZCZ05WSFNNRUdEQVdnQlRBaEprcHhFNmZPd0kwOXBuaENsWUFDQ2srZXpCL0JnZ3JCZ0VGQlFjQkFRUnpNSEV3TEFZSUt3WUJCUVVITUFHR0lHaDBkSEE2THk5aGFXRXVaR1Z0Ynk1emF5NWxaUzlsYzNSbGFXUXlNREU0TUVFR0NDc0dBUVVGQnpBQ2hqVm9kSFJ3Y3pvdkwzTnJMbVZsTDNWd2JHOWhaQzltYVd4bGN5OVVSVk5VWDI5bVgwVlRWRVZKUkRJd01UZ3VaR1Z5TG1OeWREQXpCZ05WSFI4RUxEQXFNQ2lnSnFBa2hpSm9kSFJ3T2k4dll5NXpheTVsWlM5MFpYTjBYMlZ6ZEdWcFpESXdNVGd1WTNKc01Bb0dDQ3FHU000OUJBTUVBNEdMQURDQmh3SkNBZDdOR3VDTlhHeFRiNVRnUmVZeFJTZjVYaHByMXFhVGZZZG5Kb1lOWDM5bVg5bFkxZGd5ZmJta1BzTDVpejBiWUxLOXBxRnBKOHdablZpSmpSaTV5dUh4QWtFTjJIdk0vU3d4MEJxRE9uN1FzdjZ6aXgzaHBMUUluWEllRms4aXR2OVhsdnA0VlE1S0g3bXNFZUp6N2NIMEdOTnFaTnBIdkVkTEFjMkJyT2tXbGdadUtRPT0iXX0.eyJhdWQiOlsiaHR0cHM6Ly81MjhiYzlmMjE1MjAubmdyb2suaW8iLCJ1cm46Y2VydDpzaGEtMjU2OjExZDhhZTYwZWMxOTEwYzc5NGQ3NGM4MmM4MGQ5NmIyMDc4OGI1NmFkMjY1ZmZmOWI1MTRjODc1Zjc5MDA4ZTEiXSwiZXhwIjoiMTYwMTU0MTgzNiIsImlhdCI6IjE2MDE1NDE1MzYiLCJpc3MiOiJ3ZWItZWlkIGFwcCAwLjkuMi1yYzEiLCJub25jZSI6ImEvd0FGcE1hWG9qTElhRW1lT3Z2aVJOb0JWcUhCTS9NbTlKVjI4WmNhSW89Iiwic3ViIjoiSsOVRU9SRyxKQUFLLUtSSVNUSkFOLDM4MDAxMDg1NzE4In0.BwC7jocegvB23K8YbuiakF7UdjpW1Rvl4u8zdNdm75M0QygLSOCuW7Nmn5tjKmqNmZjcOBxLlt3uN95_yFxZQAjRpCrkW-7bqfbJVzaqKnBx5lyvrO-69tEMKW578qCz";
-    }
diff --git a/example/src/test/resources/application-dev.yaml b/example/src/test/resources/application-dev.yaml
new file mode 100644
index 0000000..5e60766
--- /dev/null
+++ b/example/src/test/resources/application-dev.yaml
@@ -0,0 +1,4 @@
+web-eid-auth-token:
+  validation:
+    use-digidoc4j-prod-configuration: false
+    local-origin: "https://ria.ee"

From b6d0ebabf22dfb46fe693f644d8f09740cae90b0 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Fri, 21 Jan 2022 21:27:26 +0200
Subject: [PATCH 047/116] docs: update README with v2 information

WE2-610

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 example/README.md                             | 52 ++++++++++++-------
 .../src/main/resources/templates/index.html   |  4 +-
 .../src/main/resources/templates/welcome.html |  4 +-
 3 files changed, 36 insertions(+), 24 deletions(-)

diff --git a/example/README.md b/example/README.md
index b5a35d0..38ad601 100644
--- a/example/README.md
+++ b/example/README.md
@@ -2,8 +2,8 @@
 
 ![European Regional Development Fund](https://github.com/open-eid/DigiDoc4-Client/blob/master/client/images/EL_Regionaalarengu_Fond.png)
 
-Example Spring Boot web application that uses Web eID for strong authentication
-and digital signing with electronic ID smart cards.
+This project is an example Spring Boot web application that shows how to implement strong authentication
+and digital signing with electronic ID smart cards using Web eID.
 
 More information about the Web eID project is available on the project [website](https://web-eid.eu/), which is served by this application.
 
@@ -23,19 +23,19 @@ You can use, for example, [_ngrok_](https://ngrok.com/) to get a reverse HTTPS p
 
 ### 2. Configure the origin URL
 
-One crucial step of Web eID authentication token validation algorithm is verifying that the _aud_ field of the token contains the site origin URL (the URL serving the web application) to protect against man-in-the-middle attacks. Hence the site origin URL must be configured in application settings.
+One crucial step of the Web eID authentication token validation algorithm is verifying the token signature. The value that is signed contains the site origin URL (the URL serving the web application) to protect against man-in-the-middle attacks. Hence the site origin URL must be configured in application settings.
 
-To configure the origin URL, copy and paste the HTTPS URL that _ngrok_ did output in step 1 into the `local-origin` field in the profile-specific settings file `src/main/resources/application-{dev,prod}.yaml` as follows:
+To configure the origin URL, copy and paste the HTTPS URL from _ngrok_ output in step 1 into the `local-origin` field in the profile-specific settings file `src/main/resources/application-{dev,prod}.yaml` as follows:
 
 ```yaml
 web-eid-auth-token:
     validation:
-        local-origin: "https://<<NGROK URL HERE>>"
+        local-origin: "https://<<NGROK HOSTNAME HERE>>"
 ```
 
 ### 3. Configure the trusted certificate authority certificates
 
-The Web eID authentication token validation algorithm needs to know which intermediate certificate authorities (CA) are trusted to issue the eID authentication certificates. CA certificates are loaded either from `.cer` files in the profile-specific subdirectory of the [`certs`resource directory](src/main/resources/certs) or the [truststore file](src/main/resources/certs/prod/trusted_certificates.jks). By default, Estonian eID test CA certificates are included in the `dev` profile and production CA certificates in the `prod` profile.
+The algorithm, which performs the validation of the Web eID authentication token, needs to know which intermediate certificate authorities (CA) are trusted to issue the eID authentication certificates. CA certificates are loaded either from `.cer` files in the profile-specific subdirectory of the [`certs`resource directory](src/main/resources/certs) or the [truststore file](src/main/resources/certs/prod/trusted_certificates.jks). By default, Estonian eID test CA certificates are included in the `dev` profile and production CA certificates in the `prod` profile.
 
 In case you need to provide your own CA certificates, either add the `.cer` files to the `src/main/resources/certs/{dev,prod}` profile-specific directory or add the certificates to the truststore file.
 
@@ -57,7 +57,7 @@ Build and run the application with the following command in a terminal window:
 ./mvnw spring-boot:run
 ```
 
-This will activate the default `dev` profile and launch the built-in Tomcat web server on port 8080 that was forwarded to _ngrok_ in step 1.
+This will activate the default `dev` profile and launch the built-in Tomcat web server on port 8080 that was forwarded using _ngrok_ in step 1.
 
 When the application has started, open the _ngrok_ HTTPS URL in your preferred web browser and follow instructions on the front page.
 
@@ -78,8 +78,10 @@ When the application has started, open the _ngrok_ HTTPS URL in your preferred w
   + [How to verify that HTTPS is configured properly](#how-to-verify-that-https-is-configured-properly)
 * [Deployment](#deployment)
 * [Frequently asked questions](#frequently-asked-questions)
-  + [Why do I sometimes get the `403 Forbidden` response during authentication?](#why-do-i-sometimes-get-the-403-forbidden-response-during-authentication)
-  + [Why do I get the `"Access denied to TSP service"` error?](#why-do-i-get-the-access-denied-to-tsp-service-error)
+  + [Why do I sometimes get the 403 Forbidden response during authentication?](#why-do-i-sometimes-get-the-403-forbidden-response-during-authentication)
+  + [Why do I get the "Access denied to TSP service" error?](#why-do-i-get-the-access-denied-to-tsp-service-error)
+  + [Why can I not use my test ID card?](#why-can-i-not-use-my-test-id-card)
+  + [Why do I get the 401 Unauthorized "Authentication failed: Web eID token validation failed" response during authentication?](#why-do-i-get-the-401-unauthorized-authentication-failed-web-eid-token-validation-failed-response-during-authentication)
 
 ## Overview of the project
 
@@ -88,7 +90,6 @@ This repository contains the code of a minimal Spring Boot web application that
 -   Spring Web MVC with REST support,
 -   the Thymeleaf template engine,
 -   Spring Security,
--   the Spring cache abstraction and the [_Caffeine_](https://github.com/ben-manes/caffeine) _JCache_-compatible caching implementation,
 -   the Web eID authentication token validation library [_web-eid-authtoken-validation-java_](https://github.com/web-eid/web-eid-authtoken-validation-java),
 -   the Web eID JavaScript library [_web-eid.js_](https://github.com/web-eid/web-eid.js),
 -   the digital signing library [_DigiDoc4j_](https://github.com/open-eid/digidoc4j).
@@ -101,9 +102,9 @@ There is also a Docker Compose configuration file `docker-compose.yml` in the ro
 
 The source code folder `src` contains the application source code and resources in the `main` subdirectory and tests in the `test` subdirectory.
 
-The `src/main/java/org/webeid/example` directory contains the Spring Boot application Java class and the following sub-folders:
+The `src/main/java/org/webeid/example` directory contains the Spring Boot application Java class and the following subdirectories:
 
--   `config`: Spring and HTTP security configuration, Web eID authentication token validation library configuration, cache configuration, trusted CA certificates loading etc,
+-   `config`: Spring and HTTP security configuration, Web eID authentication token validation library configuration, trusted CA certificates loading etc,
 -   `security`: Web eID authentication token validation library integration with Spring Security via an `AuthenticationProvider` and `AuthenticationProcessingFilter`,
 -   `service`: Web eID signing service implementation that uses DigiDoc4j, and DigiDoc4j runtime configuration,
 -   `web`: Spring Web MVC controller for the welcome page and Spring Web REST controllers that provide endpoints
@@ -131,23 +132,25 @@ The main configuration file `src/main/resources/application.yaml` is shared by a
 
 Besides configuration settings, the trusted certificate authority certificates may need to be configured as described in section [_3. Configure the trusted certificate authority certificates_](#3-configure-the-trusted-certificate-authority-certificates) above.
 
+Spring Security has CSRF protection enabled by default. Web eID requires CSRF protection.
+
 ### Integration with Web eID components
 
-Detailed overview of Java code changes required for integrating Web eID authentication token validation is available in the [_web-eid-authtoken-validation-java_ library README](https://github.com/web-eid/web-eid-authtoken-validation-java/blob/main/README.md). There are instructions for configuring the cache, nonce generator, trusted certificate authority certificates, authentication token validator, Spring Security authentication integration and REST endpoints. The corresponding Java code is in the `src/main/java/org/webeid/example/{config,security}` and `src/.../web/rest` directories.
+Detailed overview of Java code changes required for integrating Web eID authentication token validation is available in the [_web-eid-authtoken-validation-java_ library README](https://github.com/web-eid/web-eid-authtoken-validation-java/blob/main/README.md). There are instructions for configuring the nonce generator, trusted certificate authority certificates, authentication token validator, Spring Security authentication integration and REST endpoints. The corresponding Java code is in the `src/main/java/org/webeid/example/{config,security,web/rest}` directories.
 
 A similar overview of JavaScript and HTML code changes required for authentication and digital signing with Web eID is available in the [web-eid.js library README](https://github.com/web-eid/web-eid.js/blob/main/README.md). The corresponding JavaScript and HTML code is in the `src/resources/{static,templates}` directories.
 
 ### Integration with DigiDoc4j components
 
-Java code examples how to create and sign data containers that hold signed file objects and digital signatures is available in the [DigiDoc4j wiki](https://github.com/open-eid/digidoc4j/wiki/Examples-of-using-it). Further information and links to the API documentation is available in the project [README](https://github.com/open-eid/digidoc4j/blob/master/README.md). The corresponding Java code is in the `src/main/java/org/webeid/example/service` and `src/.../web/rest` directories.
+Java code examples that show how to create and sign data containers that hold signed file objects and digital signatures is available in the [DigiDoc4j wiki](https://github.com/open-eid/digidoc4j/wiki/Examples-of-using-it). Further information and links to the API documentation is available in the project [README](https://github.com/open-eid/digidoc4j/blob/master/README.md). The corresponding Java code is in the `src/main/java/org/webeid/example/{service,web/rest}` directories.
 
 #### Using the Certificates' _Authority Information Access_ (AIA) extension in DigiDoc4j
 
-In the `SigningService` constructor, we have configured DigiDoc4j to use the AIA extension that contains the certificates’ OCSP service location with `signingConfiguration.setPreferAiaOcsp(true)`. **Note that there may be legal limitations to using AIA URLs during signing** as the services behind these URLs provide different security and SLA guarantees than dedicated OCSP services, so you should consider using a dedicated OCSP service instead according to instructions in DigiDoc4j documentation. See also the [corresponding section in _web-eid-authtoken-validation-java_ README](https://github.com/web-eid/web-eid-authtoken-validation-java/blob/main/README.md#certificates-authority-information-access-aia-extension).
+In the `SigningService` constructor we have configured DigiDoc4j to use the AIA extension that contains the certificates’ OCSP service location with `signingConfiguration.setPreferAiaOcsp(true)`. Note that there may be limitations to using AIA URLs during signing as the services behind these URLs provide different security and SLA guarantees than dedicated OCSP services, so you should consider using a dedicated OCSP service instead. See the instructions in DigiDoc4j documentation and also the [corresponding section in _web-eid-authtoken-validation-java_ README](https://github.com/web-eid/web-eid-authtoken-validation-java/blob/main/README.md#certificates-authority-information-access-aia-extension).
 
 #### Using DigiDoc4j in test mode with the `dev` profile
 
-When using DigiDoc4j in test mode with a test eID card, you need to upload the corresponding authentication and signing certificates to the _demo.sk.ee_ OCSP responder database at https://demo.sk.ee/upload_cert/index.php, according to instructions on the webpage. You can choose the certificate status during upload, so you can test bad statuses as well as needed.
+When using DigiDoc4j in test mode with a test eID card, you need to upload the corresponding authentication and signing certificates to the _demo.sk.ee_ OCSP responder database at https://demo.sk.ee/upload_cert/index.php, according to instructions on the webpage. You can choose the certificate status during upload, so you can also test bad statuses.
 
 #### Using DigiDoc4j in production mode with the `prod` profile
 
@@ -155,13 +158,13 @@ When using DigiDoc4j in production mode, you need access to a paid timestamping
 
 ### Stateful and stateless authentication
 
-In the current example, we use the classical stateful Spring Security session cookie-based authentication mechanism where a cookie that contains the user session ID is set during successful login and session data is stored at sever side. Cookie-based authentication must be protected against cross-site request forgery (CSRF) attacks and extra measures must be taken to secure the cookies by serving them only over HTTPS and setting the _HttpOnly_, _Secure_ and _SameSite_ attributes.
+In the current example we use the classical stateful Spring Security session cookie-based authentication mechanism, where a cookie that contains the user session ID is set during successful login and session data is stored at sever side. Cookie-based authentication must be protected against cross-site request forgery (CSRF) attacks and extra measures must be taken to secure the cookies by serving them only over HTTPS and setting the _HttpOnly_, _Secure_ and _SameSite_ attributes.
 
-A common alternative to stateful authentication is stateless authentication with JSON Web Tokens (JWT) where the session data resides inside the token at client side. The Web eID authentication token itself is a JWT token, but it should be considered a temporary authentication information carrier during login and should not be used afterwards. In case you want to use JWT authentication, you should issue a new JWT after successful Web eID authentication token validation.
+A common alternative to stateful authentication is stateless authentication with JSON Web Tokens (JWT) or secure cookie sessions where the session data resides at client side browser and is either signed or encrypted. Secure cookie sessions are described in [RFC 6896](https://datatracker.ietf.org/doc/html/rfc6896) and in the following [article about secure cookie-based Spring Security sessions](https://www.innoq.com/en/blog/cookie-based-spring-security-session/). Usage of both an anonymous session and a cache is required to store the challenge nonce and the time it was issued before the user is authenticated. The anonymous session must be used for protection against [forged login attacks](https://en.wikipedia.org/wiki/Cross-site_request_forgery#Forging_login_requests) by guaranteeing that the authentication token is received from the same browser to which the corresponding challenge nonce was issued. The cache must be used for protection against replay attacks by guaranteeing that each authentication token can be used exactly once.
 
 ### Assuring that the signing and authentication certificate subjects match
 
-It usually required to verify that the signing certificate subject matches the authentication certificate subject by assuring that both ID codes match. This check is implemented at the beginning of the `SigningService.prepareContainer()` method.
+It is usually required to verify that the signing certificate subject matches the authentication certificate subject by assuring that both ID codes match. This check is implemented at the beginning of the `SigningService.prepareContainer()` method.
 
 ## HTTPS support
 
@@ -176,7 +179,7 @@ There are two ways of adding HTTPS support to a Spring Boot application:
 The first approach is straightforward and documented in the [official documentation](https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#howto.webserver.configure-ssl).
 
 The second approach, running behind a reverse proxy, is common in enterprise
-deployments and the configuration is more involved. We assume this setup in the
+deployments and the configuration is more complex. We assume this setup in the
 current project and document it in this section to facilitate production deployment.
 
 Enabling HTTPS support when running behind a reverse proxy server requires
@@ -243,3 +246,12 @@ This is most likely caused by an expired CSRF token. Please refresh the page and
 ### Why do I get the `"Access denied to TSP service"` error?
 
 This error means that access was denied to the timestamping service. You are running in production mode with the `prod` profile and need to register for paid access to the timestamping service as described in section [_Using DigiDoc4j in production mode with the `prod` profile_](#using-digidoc4j-in-production-mode-with-the-prod-profile) above.
+
+### Why can I not use my test ID card?
+
+When running the application with the `dev` profile in test mode, you need to upload the corresponding authentication and signing certificates to the _demo.sk.ee_ OCSP responder database at <https://demo.sk.ee/upload_cert/index.php>, according to instructions on the webpage.
+
+### Why do I get the `401 Unauthorized "Authentication failed: Web eID token validation failed"` response during authentication?
+
+One possible reason is that you are using the test ID card on a site that is running in production mode or, vice-versa, a real ID card on a site that is running in test mode; or any other ID card whose certificate authority has not been added to the list of trusted certificate authorities.
+
diff --git a/example/src/main/resources/templates/index.html b/example/src/main/resources/templates/index.html
index a3e4cbf..965b08d 100644
--- a/example/src/main/resources/templates/index.html
+++ b/example/src/main/resources/templates/index.html
@@ -234,7 +234,7 @@ <h3><a id="for-developers"></a>For developers</h3>
             const challengeResponse = await fetch("/auth/challenge", {
                 method: "GET",
                 headers: {
-                    'Content-Type': 'application/json'
+                    "Content-Type": "application/json"
                 }
             });
             await checkHttpError(challengeResponse);
@@ -245,7 +245,7 @@ <h3><a id="for-developers"></a>For developers</h3>
             const authTokenResponse = await fetch("/auth/login", {
                 method: "POST",
                 headers: {
-                    'Content-Type': 'application/json',
+                    "Content-Type": "application/json",
                     [csrfHeaderName]: csrfToken
                 },
                 body: `{"auth-token": ${JSON.stringify(authToken)}}`
diff --git a/example/src/main/resources/templates/welcome.html b/example/src/main/resources/templates/welcome.html
index 83d93cc..ab0a093 100644
--- a/example/src/main/resources/templates/welcome.html
+++ b/example/src/main/resources/templates/welcome.html
@@ -86,7 +86,7 @@ <h2 class="adding-signature">Digital signing</h2>
             const prepareSigningResponse = await fetch("/sign/prepare", {
                 method: "POST",
                 headers: {
-                    'Content-Type': 'application/json',
+                    "Content-Type": "application/json",
                     [csrfHeaderName]: csrfToken
                 },
                 body: JSON.stringify({certificate, supportedSignatureAlgorithms}),
@@ -105,7 +105,7 @@ <h2 class="adding-signature">Digital signing</h2>
             const finalizeSigningResponse = await fetch("/sign/sign", {
                 method: "POST",
                 headers: {
-                    'Content-Type': 'application/json',
+                    "Content-Type": "application/json",
                     [csrfHeaderName]: csrfToken
                 },
                 body: JSON.stringify({signature, signatureAlgorithm}),

From 5af811b7749d6220056d21af282a15ef6141df01 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Fri, 4 Feb 2022 17:17:00 +0200
Subject: [PATCH 048/116] feat: add Ubuntu installation script

---
 .../scripts/download-install-web-eid.sh       | 149 ++++++++++++++++++
 .../src/main/resources/templates/index.html   |   7 +-
 2 files changed, 152 insertions(+), 4 deletions(-)
 create mode 100755 example/src/main/resources/static/scripts/download-install-web-eid.sh

diff --git a/example/src/main/resources/static/scripts/download-install-web-eid.sh b/example/src/main/resources/static/scripts/download-install-web-eid.sh
new file mode 100755
index 0000000..c05875a
--- /dev/null
+++ b/example/src/main/resources/static/scripts/download-install-web-eid.sh
@@ -0,0 +1,149 @@
+#!/bin/bash
+#
+# This script downloads and installs Web eID in .deb based Linux distributions.
+# License: public domain.
+# Based on https://github.com/open-eid/linux-installer/blob/master/install-open-eid.sh
+
+set -eu
+
+test_sudo() {
+  if ! command -v sudo>/dev/null; then
+     make_fail "You must have sudo and be in sudo group\nAs root do: apt-get install sudo && adduser $USER sudo"
+  fi
+}
+
+test_root() {
+  if test $(id -u) -eq 0; then
+    echo "You run this script as root. DO NOT RUN RANDOM SCRIPTS AS ROOT."
+    exit 2
+  fi
+}
+
+make_fail() {
+  echo -e "$1"
+  exit 3
+}
+
+make_warn() {
+  echo "### $1"
+  echo "Press ENTER to continue, CTRL-C to cancel"
+  read -r dummy
+}
+
+make_install() {
+  echo "Installing Web eID packages for Ubuntu $1"
+  TMPDIR=`mktemp -d`
+  cd $TMPDIR
+  BUILD=`[[ $1 == *0 ]] && echo 555 || echo 552`
+  VERSION=${1//./}
+  wget "https://installer.id.ee/media/web-eid/Ubuntu/web-eid_2.0.0.${BUILD}-${VERSION}_all.deb"
+  wget "https://installer.id.ee/media/web-eid/Ubuntu/web-eid-chrome_2.0.0.${BUILD}-${VERSION}_all.deb"
+  wget "https://installer.id.ee/media/web-eid/Ubuntu/web-eid-firefox_2.0.0.${BUILD}-${VERSION}_all.deb"
+  wget "https://installer.id.ee/media/web-eid/Ubuntu/web-eid-native_2.0.0.${BUILD}-${VERSION}_amd64.deb"
+  sudo apt install ./web-eid*.deb
+  cd /tmp
+  rm -r $TMPDIR
+}
+
+### main
+
+# Check for Debian derivative.
+if ! command -v lsb_release>/dev/null; then
+  make_fail "# Not a Debian Linux derivative, cannot continue."
+fi
+
+# We use sudo.
+test_root
+test_sudo
+
+# version   name    LTS   supported until
+# 18.04     bionic  LTS   2023-04
+# 20.04     focal   LTS   2025-04
+# 21.10     impish   -    2022-07
+LATEST_SUPPORTED_UBUNTU_CODENAME='impish'
+LATEST_SUPPORTED_UBUNTU_VERSION='21.10'
+
+# Check the distro and release.
+distro=$(lsb_release -is | tr '[:upper:]' '[:lower:]')
+release=$(lsb_release -rs)
+codename=$(lsb_release -cs)
+
+case $distro in
+   debian)
+      make_warn "Debian is not officially supported"
+      case "$codename" in
+        buster)
+          make_warn "Debian $codename is not officially supported"
+          make_warn "Installing from ubuntu-bionic repository"
+          make_install '18.04'
+          ;;
+        *)
+          make_fail "Debian $codename is not officially supported"
+          ;;
+      esac
+      ;;
+   ubuntu|neon)
+      case $distro in
+         neon) make_warn "Neon is not officially supported; assuming that it is equivalent to Ubuntu" ;;
+         *) ;;
+      esac
+      case $codename in
+        utopic|vivid|wily|trusty|artful|cosmic|disco|xenial|eoan|groovy|hirsute)
+          make_fail "Ubuntu $codename is not officially supported"
+          ;;
+        bionic|focal|impish)
+          make_install $release
+          ;;
+        *)
+          make_warn "Ubuntu $codename is not officially supported"
+          make_warn "Trying to install package for Ubuntu ${LATEST_SUPPORTED_UBUNTU_CODENAME}"
+          make_install ${LATEST_SUPPORTED_UBUNTU_VERSION}
+          ;;
+      esac
+      ;;
+   linuxmint)
+      case $release in
+        20*)
+          make_warn "Linuxmint 20 is not officially supported"
+          make_install '20.04'
+          ;;
+        19*)
+          make_warn "LinuxMint 19 is not officially supported"
+          make_install '18.04'
+          ;;
+        *)
+          make_fail "LinuxMint $release is not officially supported"
+          ;;
+      esac
+      ;;
+   elementary*os|elementary)
+      case $release in
+        5.*)
+          make_warn "Elementary OS 5 is not officially supported"
+          make_install '18.04'
+          ;;
+        *)
+          make_fail "Elementary OS $release is not officially supported"
+          ;;
+      esac
+      ;;
+   pop)
+      case $codename in
+        artful|cosmic|disco|eoan)
+          make_fail "Pop!_OS $codename is not officially supported"
+          ;;
+        bionic|focal)
+          make_warn "Pop!_OS $codename is not officially supported"
+          make_install $release
+          ;;
+        *)
+          make_warn "Pop!_OS $codename is not officially supported"
+          make_warn "Trying to install package for Pop!_OS ${LATEST_SUPPORTED_UBUNTU_CODENAME}"
+          make_install ${LATEST_SUPPORTED_UBUNTU_VERSION}
+          ;;
+      esac
+      ;;
+   *)
+      make_fail "$distro is not supported :("
+      ;;
+esac
diff --git a/example/src/main/resources/templates/index.html b/example/src/main/resources/templates/index.html
index 965b08d..7824e31 100644
--- a/example/src/main/resources/templates/index.html
+++ b/example/src/main/resources/templates/index.html
@@ -52,10 +52,9 @@ <h3><a id="usage"></a>Usage</h3>
                 <li>
                     Download and run the Web eID native app and browser extension installer:
                     <ul>
-                        <li>on <b>Ubuntu Linux</b> 20.04, for Firefox and Chrome from <a
-                                href="https://installer.id.ee/media/web-eid/web-eid_2.0.0.555-2110_all.deb">here</a>,
-                            install it with either the Ubuntu Software Center or from the console with<br>
-                            <code>sudo apt install ./web-eid_[version].deb</code>
+                        <li>on <b>Ubuntu Linux</b>, for Firefox and Chrome, download and execute the<br>
+                            <a href="/scripts/download-install-web-eid.sh"><code>download-install-web-eid.sh</code></a> script from the console with<br>
+                            <code>wget -O - https://<span th:text="${#httpServletRequest.serverName}"/>/scripts/download-install-web-eid.sh | bash</code><br>
                         </li>
                         <li>on <b>macOS</b> 10.15 or later, for Firefox and Chrome from <a
                                 href="https://installer.id.ee/media/web-eid/web-eid_2.0.0.556.dmg">here</a>,

From ee4af455bac0f0ebdecdf9f3be906ac596cd0df5 Mon Sep 17 00:00:00 2001
From: Heikki Kitt <heikki.kitt@gmail.com>
Date: Tue, 15 Feb 2022 16:13:21 +0200
Subject: [PATCH 049/116] add -y to install packages without user prompt

---
 .../main/resources/static/scripts/download-install-web-eid.sh   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/example/src/main/resources/static/scripts/download-install-web-eid.sh b/example/src/main/resources/static/scripts/download-install-web-eid.sh
index c05875a..c7a43f6 100755
--- a/example/src/main/resources/static/scripts/download-install-web-eid.sh
+++ b/example/src/main/resources/static/scripts/download-install-web-eid.sh
@@ -40,7 +40,7 @@ make_install() {
   wget "https://installer.id.ee/media/web-eid/Ubuntu/web-eid-chrome_2.0.0.${BUILD}-${VERSION}_all.deb"
   wget "https://installer.id.ee/media/web-eid/Ubuntu/web-eid-firefox_2.0.0.${BUILD}-${VERSION}_all.deb"
   wget "https://installer.id.ee/media/web-eid/Ubuntu/web-eid-native_2.0.0.${BUILD}-${VERSION}_amd64.deb"
-  sudo apt install ./web-eid*.deb
+  sudo apt install -y ./web-eid*.deb
   cd /tmp
   rm -r $TMPDIR
 }

From d2b067c17675abb64d08b34049e467ceeb918400 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Fri, 11 Mar 2022 21:27:21 +0200
Subject: [PATCH 050/116] docs,tests: update security analysis link, remove
 unused parameters from tests

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 example/src/main/resources/templates/index.html                 | 2 +-
 example/src/test/java/eu/webeid/example/WebApplicationTest.java | 2 +-
 .../src/test/java/eu/webeid/example/testutil/HttpHelper.java    | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/example/src/main/resources/templates/index.html b/example/src/main/resources/templates/index.html
index 7824e31..0d84921 100644
--- a/example/src/main/resources/templates/index.html
+++ b/example/src/main/resources/templates/index.html
@@ -170,7 +170,7 @@ <h3><a id="documentation"></a>Documentation</h3>
             </p>
             <p>
                 Security analysis of the solution is available
-                <a href="https://web-eid.gitlab.io/analysis/webextensions-main.pdf">in this document</a>.
+                <a href="https://web-eid.github.io/web-eid-cybernetica-analysis/webextensions-main.pdf">in this document</a>.
             </p>
             <hr/>
             <h3><a id="for-developers"></a>For developers</h3>
diff --git a/example/src/test/java/eu/webeid/example/WebApplicationTest.java b/example/src/test/java/eu/webeid/example/WebApplicationTest.java
index fdb267e..f4e51ac 100644
--- a/example/src/test/java/eu/webeid/example/WebApplicationTest.java
+++ b/example/src/test/java/eu/webeid/example/WebApplicationTest.java
@@ -125,7 +125,7 @@ public static MockMultipartFile mockMultipartFile() {
         response = HttpHelper.sign(mvcBuilder, session, ObjectMother.mockSignRequest(digestDTO.getHash()));
         assertEquals(HttpStatus.OK.value(), response.getStatus());
 
-        response = HttpHelper.download(mvcBuilder, session, ObjectMother.mockSignRequest(digestDTO.getHash()));
+        response = HttpHelper.download(mvcBuilder, session);
         assertEquals(HttpStatus.OK.value(), response.getStatus());
         assertEquals("attachment; filename=example-for-signing.asice", response.getHeader("Content-Disposition"));
     }
diff --git a/example/src/test/java/eu/webeid/example/testutil/HttpHelper.java b/example/src/test/java/eu/webeid/example/testutil/HttpHelper.java
index fc4f801..a45c74c 100644
--- a/example/src/test/java/eu/webeid/example/testutil/HttpHelper.java
+++ b/example/src/test/java/eu/webeid/example/testutil/HttpHelper.java
@@ -92,7 +92,7 @@ public static MockHttpServletResponse sign(DefaultMockMvcBuilder mvcBuilder, Moc
         // @formatter:on
     }
 
-    public static MockHttpServletResponse download(DefaultMockMvcBuilder mvcBuilder, MockHttpSession session, SignatureDTO mockSignRequest) throws Exception {
+    public static MockHttpServletResponse download(DefaultMockMvcBuilder mvcBuilder, MockHttpSession session) throws Exception {
         // @formatter:off
         return mvcBuilder
                 .build()

From 41f635d587a5bc1a576847f2253de0008c952ae4 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Fri, 1 Apr 2022 14:06:01 +0300
Subject: [PATCH 051/116] deps: upgrade Spring Boot and other dependencies

---
 example/pom.xml                             | 12 ++++++++----
 example/src/main/resources/application.yaml |  4 ++++
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/example/pom.xml b/example/pom.xml
index 17046f7..5bbda36 100644
--- a/example/pom.xml
+++ b/example/pom.xml
@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>2.2.5.RELEASE</version>
+		<version>2.6.5</version>
 		<relativePath/> <!-- lookup parent from repository -->
 	</parent>
 	<groupId>org.webeid.example</groupId>
@@ -29,6 +29,10 @@
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-web</artifactId>
 		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-validation</artifactId>
+		</dependency>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-thymeleaf</artifactId>
@@ -45,18 +49,18 @@
 		<dependency>
 			<groupId>com.google.guava</groupId>
 			<artifactId>guava</artifactId>
-			<version>30.1-jre</version>
+			<version>31.1-jre</version>
 		</dependency>
 		<dependency>
 			<groupId>com.squareup.okhttp3</groupId>
 			<artifactId>okhttp</artifactId>
-			<version>4.9.0</version>
+			<version>4.9.3</version>
 		</dependency>
 
 		<dependency>
 			<groupId>org.digidoc4j</groupId>
 			<artifactId>digidoc4j</artifactId>
-			<version>4.1.1</version>
+			<version>4.3.0</version>
 		</dependency>
 		<dependency>
 			<groupId>org.webeid.security</groupId>
diff --git a/example/src/main/resources/application.yaml b/example/src/main/resources/application.yaml
index ae50d3b..b235fef 100644
--- a/example/src/main/resources/application.yaml
+++ b/example/src/main/resources/application.yaml
@@ -1,3 +1,7 @@
+spring:
+  main:
+    allow-circular-references: true
+
 # Make session cookie secure behind a reverse proxy, see
 # - https://docs.spring.io/spring-boot/docs/2.2.5.RELEASE/reference/htmlsingle/#howto-use-behind-a-proxy-server
 # - https://docs.spring.io/spring-boot/docs/2.2.5.RELEASE/reference/htmlsingle/#howto-enable-https

From 06d72c21e1f1f1f54f4c0b2454e2300b6f602877 Mon Sep 17 00:00:00 2001
From: Kristel Merilain <kristel.merilain@ria.ee>
Date: Thu, 2 Jun 2022 13:25:10 +0300
Subject: [PATCH 052/116] Update LICENSE

---
 example/LICENSE | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/example/LICENSE b/example/LICENSE
index 0b8eeef..1d8f1fd 100644
--- a/example/LICENSE
+++ b/example/LICENSE
@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2020 The Web eID Project
+Copyright (c) 2020-2022 Estonian Information System Authority
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

From 2e929fa72f9cde49e1f101565a8cdc020278e921 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Tue, 26 Jul 2022 16:56:50 +0300
Subject: [PATCH 053/116] release: Web eID release v2.1.0

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 example/pom.xml                               | 13 ++++---
 example/scripts/deployment/fab.sh             |  7 ++--
 .../scripts/download-install-web-eid.sh       | 27 +++++++-------
 .../src/main/resources/templates/index.html   | 36 ++++++++++++-------
 4 files changed, 50 insertions(+), 33 deletions(-)

diff --git a/example/pom.xml b/example/pom.xml
index 5bbda36..d3eaeba 100644
--- a/example/pom.xml
+++ b/example/pom.xml
@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>2.6.5</version>
+		<version>2.7.2</version>
 		<relativePath/> <!-- lookup parent from repository -->
 	</parent>
 	<groupId>org.webeid.example</groupId>
@@ -20,7 +20,10 @@
 		<java.version>1.8</java.version>
 		<maven-surefire-plugin.version>2.22.1</maven-surefire-plugin.version>
 		<caffeine.version>2.8.5</caffeine.version>
-		<webeid.version>2.0.0</webeid.version>
+		<webeid.version>2.0.1</webeid.version>
+		<digidoc4j.version>5.0.0</digidoc4j.version>
+		<guava.version>31.1-jre</guava.version>
+		<okhttp.version>4.10.0</okhttp.version>
 		<jmockit.version>1.44</jmockit.version>
 	</properties>
 
@@ -49,18 +52,18 @@
 		<dependency>
 			<groupId>com.google.guava</groupId>
 			<artifactId>guava</artifactId>
-			<version>31.1-jre</version>
+			<version>${guava.version}</version>
 		</dependency>
 		<dependency>
 			<groupId>com.squareup.okhttp3</groupId>
 			<artifactId>okhttp</artifactId>
-			<version>4.9.3</version>
+			<version>${okhttp.version}</version>
 		</dependency>
 
 		<dependency>
 			<groupId>org.digidoc4j</groupId>
 			<artifactId>digidoc4j</artifactId>
-			<version>4.3.0</version>
+			<version>${digidoc4j.version}</version>
 		</dependency>
 		<dependency>
 			<groupId>org.webeid.security</groupId>
diff --git a/example/scripts/deployment/fab.sh b/example/scripts/deployment/fab.sh
index e58e1dd..e5d52d6 100644
--- a/example/scripts/deployment/fab.sh
+++ b/example/scripts/deployment/fab.sh
@@ -2,10 +2,11 @@
 
 set -eu
 
-SERVER_ADDRESS=server
-SERVER_USER=user
+SERVER_ADDRESS=web-eid.eu
+SERVER_USER=baron
 SERVER_PORT=22
 
-export WEBEID_DIR='/path/'
+export WEBEID_DIR='web-eid/web-eid-springboot-example'
+export WEBEID_DIR='web-eid/test-web-eid-springboot-example'
 
 fab -e -H ${SERVER_USER}@${SERVER_ADDRESS}:${SERVER_PORT} "$@"
diff --git a/example/src/main/resources/static/scripts/download-install-web-eid.sh b/example/src/main/resources/static/scripts/download-install-web-eid.sh
index c7a43f6..7cc5f7d 100755
--- a/example/src/main/resources/static/scripts/download-install-web-eid.sh
+++ b/example/src/main/resources/static/scripts/download-install-web-eid.sh
@@ -34,15 +34,17 @@ make_install() {
   echo "Installing Web eID packages for Ubuntu $1"
   TMPDIR=`mktemp -d`
   cd $TMPDIR
-  BUILD=`[[ $1 == *0 ]] && echo 555 || echo 552`
-  VERSION=${1//./}
-  wget "https://installer.id.ee/media/web-eid/Ubuntu/web-eid_2.0.0.${BUILD}-${VERSION}_all.deb"
-  wget "https://installer.id.ee/media/web-eid/Ubuntu/web-eid-chrome_2.0.0.${BUILD}-${VERSION}_all.deb"
-  wget "https://installer.id.ee/media/web-eid/Ubuntu/web-eid-firefox_2.0.0.${BUILD}-${VERSION}_all.deb"
-  wget "https://installer.id.ee/media/web-eid/Ubuntu/web-eid-native_2.0.0.${BUILD}-${VERSION}_amd64.deb"
-  sudo apt install -y ./web-eid*.deb
-  cd /tmp
-  rm -r $TMPDIR
+  VERSION='2.0.2'
+  # BUILD=`[[ $1 == *0 ]] && echo 555 || echo 552`
+  BUILD='565'
+  UBUNTU_VERSION=${1//./}
+  wget "https://installer.id.ee/media/web-eid/Ubuntu/web-eid_${VERSION}.${BUILD}-${UBUNTU_VERSION}_all.deb"
+  wget "https://installer.id.ee/media/web-eid/Ubuntu/web-eid-chrome_${VERSION}.${BUILD}-${UBUNTU_VERSION}_all.deb"
+  wget "https://installer.id.ee/media/web-eid/Ubuntu/web-eid-firefox_${VERSION}.${BUILD}-${UBUNTU_VERSION}_all.deb"
+  wget "https://installer.id.ee/media/web-eid/Ubuntu/web-eid-native_${VERSION}.${BUILD}-${UBUNTU_VERSION}_amd64.deb"
+  # sudo apt install -y ./web-eid*.deb
+  # cd /tmp
+  # rm -r $TMPDIR
 }
 
 ### main
@@ -60,8 +62,9 @@ test_sudo
 # 18.04     bionic  LTS   2023-04
 # 20.04     focal   LTS   2025-04
 # 21.10     impish   -    2022-07
-LATEST_SUPPORTED_UBUNTU_CODENAME='impish'
-LATEST_SUPPORTED_UBUNTU_VERSION='21.10'
+# 22.04     jammy   LTS   2027-04
+LATEST_SUPPORTED_UBUNTU_CODENAME='jammy'
+LATEST_SUPPORTED_UBUNTU_VERSION='22.04'
 
 # Check the distro and release.
 distro=$(lsb_release -is | tr '[:upper:]' '[:lower:]')
@@ -91,7 +94,7 @@ case $distro in
         utopic|vivid|wily|trusty|artful|cosmic|disco|xenial|eoan|groovy|hirsute)
           make_fail "Ubuntu $codename is not officially supported"
           ;;
-        bionic|focal|impish)
+        bionic|focal|impish|jammy)
           make_install $release
           ;;
         *)
diff --git a/example/src/main/resources/templates/index.html b/example/src/main/resources/templates/index.html
index 0d84921..70f30b7 100644
--- a/example/src/main/resources/templates/index.html
+++ b/example/src/main/resources/templates/index.html
@@ -57,13 +57,14 @@ <h3><a id="usage"></a>Usage</h3>
                             <code>wget -O - https://<span th:text="${#httpServletRequest.serverName}"/>/scripts/download-install-web-eid.sh | bash</code><br>
                         </li>
                         <li>on <b>macOS</b> 10.15 or later, for Firefox and Chrome from <a
-                                href="https://installer.id.ee/media/web-eid/web-eid_2.0.0.556.dmg">here</a>,
+                                href="https://installer.id.ee/media/web-eid/web-eid_2.0.2.565.dmg">here</a>,
                         </li>
                         <li>on <b>macOS</b> 10.15 or later, for Safari, install the extension from <a
                                 href="https://apps.apple.com/ee/app/web-eid/id1576665083?mt=12">App Store</a>,
                         </li>
-                        <li>on <b>Windows</b> 10 (64-bit), for Firefox, Chrome and Edge from <a
-                                href="https://installer.id.ee/media/web-eid/web-eid_2.0.0.552.exe">here</a>.
+                        <li>on <b>Windows</b> 10,  Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022,
+                            for Firefox, Chrome and Edge from <a
+                                href="https://installer.id.ee/media/web-eid/web-eid_2.0.2.566.x64.exe">here</a>.
                         </li>
                     </ul>
                 </li>
@@ -175,9 +176,7 @@ <h3><a id="documentation"></a>Documentation</h3>
             <hr/>
             <h3><a id="for-developers"></a>For developers</h3>
             <p>
-                Currently the Web eID back-end libraries are available for Java web applications.
-                The .NET/C# version is in the works, the development version is available
-                <a href="https://github.com/web-eid/web-eid-authtoken-validation-dotnet/">here</a>.
+                Currently the Web eID back-end libraries are available for Java and .NET web applications.
             </p>
             <p>
                 To implement authentication and digital signing with Web eID in a Java web application,
@@ -187,20 +186,31 @@ <h3><a id="for-developers"></a>For developers</h3>
                     according to the instructions
                     <a href="https://github.com/web-eid/web-eid.js#quickstart">here</a>,
                 </li>
-                <li>for authentication, use the <i>web-eid-authtoken-validation-java</i> Java library in
-                    the back end of the web application according to the instructions
-                    <a href="https://github.com/web-eid/web-eid-authtoken-validation-java#quickstart">here</a>,
+                <li>for authentication
+                    <ul>
+                        <li>in Java use the <i>web-eid-authtoken-validation-java</i> library in
+                            the back end of the web application according to the instructions
+                            <a href="https://github.com/web-eid/web-eid-authtoken-validation-java#quickstart">here</a>,</li>
+                        <li>in .NET/C# use the <i>web-eid-authtoken-validation-dotnet</i> library according to the instructions
+                            <a href="https://github.com/web-eid/web-eid-authtoken-validation-dotnet#quickstart">here</a></li>
+                    </ul>
                 </li>
-                <li>for digital signing, use the <i>digidoc4j</i> Java library in the back end of the web
-                    application according to the instructions
-                    <a href="https://github.com/open-eid/digidoc4j/wiki/Examples-of-using-it">here</a>.
+                <li>for digital signing
+                    <ul>
+                        <li>in Java use the <i>digidoc4j</i> library in the back end of the web
+                            application according to the instructions
+                            <a href="https://github.com/web-eid/web-eid-spring-boot-example#integration-with-digidoc4j-components">here</a>,</li>
+                        <li>in .NET/C# use the <i>libdigidocpp</i> library in the back end of the web
+                            application according to the instructions
+                            <a href="https://github.com/web-eid/web-eid-asp-dotnet-example#3-setup-the-libdigidocpp-library-for-signing">here</a>.</li>
+                    </ul>
                 </li>
             </ul>
             <p>
                 The full source code of an example Spring Boot web application that uses Web eID for authentication
                 and digital signing is available
                 <a href="https://github.com/web-eid/web-eid-spring-boot-example">here</a>.
-                The .NET/C# version of the example will eventually be available
+                The .NET/C# version of the example is available
                 <a href="https://github.com/web-eid/web-eid-asp-dotnet-example">here</a>.
             </p>
         </div>

From e2898ba7c1982391f2137e60f783a6b4aaa6285a Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Tue, 26 Jul 2022 17:45:02 +0300
Subject: [PATCH 054/116] deps: roll back DigiDoc4j to version 4.3.0

---
 example/pom.xml                   | 2 +-
 example/scripts/deployment/fab.sh | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)
 mode change 100644 => 100755 example/scripts/deployment/fab.sh

diff --git a/example/pom.xml b/example/pom.xml
index d3eaeba..2f8c1c0 100644
--- a/example/pom.xml
+++ b/example/pom.xml
@@ -21,7 +21,7 @@
 		<maven-surefire-plugin.version>2.22.1</maven-surefire-plugin.version>
 		<caffeine.version>2.8.5</caffeine.version>
 		<webeid.version>2.0.1</webeid.version>
-		<digidoc4j.version>5.0.0</digidoc4j.version>
+		<digidoc4j.version>4.3.0</digidoc4j.version>
 		<guava.version>31.1-jre</guava.version>
 		<okhttp.version>4.10.0</okhttp.version>
 		<jmockit.version>1.44</jmockit.version>
diff --git a/example/scripts/deployment/fab.sh b/example/scripts/deployment/fab.sh
old mode 100644
new mode 100755
index e5d52d6..85af577
--- a/example/scripts/deployment/fab.sh
+++ b/example/scripts/deployment/fab.sh
@@ -2,6 +2,8 @@
 
 set -eu
 
+cd "$( dirname "$0" )"
+
 SERVER_ADDRESS=web-eid.eu
 SERVER_USER=baron
 SERVER_PORT=22
@@ -9,4 +11,5 @@ SERVER_PORT=22
 export WEBEID_DIR='web-eid/web-eid-springboot-example'
 export WEBEID_DIR='web-eid/test-web-eid-springboot-example'
 
+. venv/bin/activate
 fab -e -H ${SERVER_USER}@${SERVER_ADDRESS}:${SERVER_PORT} "$@"

From 3ac4dc2ea582921e2a7fd43aee5e0719c9fdbca2 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Mon, 1 Aug 2022 17:22:03 +0300
Subject: [PATCH 055/116] docs(index.html): use Web eID in a Java or .NET web
 application

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 example/src/main/resources/templates/index.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/example/src/main/resources/templates/index.html b/example/src/main/resources/templates/index.html
index 70f30b7..ca15feb 100644
--- a/example/src/main/resources/templates/index.html
+++ b/example/src/main/resources/templates/index.html
@@ -179,7 +179,7 @@ <h3><a id="for-developers"></a>For developers</h3>
                 Currently the Web eID back-end libraries are available for Java and .NET web applications.
             </p>
             <p>
-                To implement authentication and digital signing with Web eID in a Java web application,
+                To implement authentication and digital signing with Web eID in a Java or .NET web application,
                 you need to
             <ul>
                 <li>use the <i>web-eid.js</i> JavaScript library in the front end of the web application

From de06fabc7166c14715841dcdb1256acbcaea492b Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Wed, 31 Aug 2022 16:04:19 +0300
Subject: [PATCH 056/116] docs(index.html),script: emphazise latest official
 Open EID packages, mention the Snap problem, re-enable installation in
 download-install-web-eid.sh

---
 .../scripts/download-install-web-eid.sh       |  6 +--
 .../src/main/resources/templates/index.html   | 47 ++++++++++++++-----
 2 files changed, 37 insertions(+), 16 deletions(-)

diff --git a/example/src/main/resources/static/scripts/download-install-web-eid.sh b/example/src/main/resources/static/scripts/download-install-web-eid.sh
index 7cc5f7d..6fc4cf8 100755
--- a/example/src/main/resources/static/scripts/download-install-web-eid.sh
+++ b/example/src/main/resources/static/scripts/download-install-web-eid.sh
@@ -42,9 +42,9 @@ make_install() {
   wget "https://installer.id.ee/media/web-eid/Ubuntu/web-eid-chrome_${VERSION}.${BUILD}-${UBUNTU_VERSION}_all.deb"
   wget "https://installer.id.ee/media/web-eid/Ubuntu/web-eid-firefox_${VERSION}.${BUILD}-${UBUNTU_VERSION}_all.deb"
   wget "https://installer.id.ee/media/web-eid/Ubuntu/web-eid-native_${VERSION}.${BUILD}-${UBUNTU_VERSION}_amd64.deb"
-  # sudo apt install -y ./web-eid*.deb
-  # cd /tmp
-  # rm -r $TMPDIR
+  sudo apt install -y ./web-eid*.deb
+  cd /tmp
+  rm -r $TMPDIR
 }
 
 ### main
diff --git a/example/src/main/resources/templates/index.html b/example/src/main/resources/templates/index.html
index ca15feb..9acce57 100644
--- a/example/src/main/resources/templates/index.html
+++ b/example/src/main/resources/templates/index.html
@@ -28,7 +28,8 @@ <h2>Web eID: electronic ID smart cards on the Web</h2>
             </p>
             <p>
                 Estonian, Finnish, Latvian, Lithuanian and Croatian eID cards are supported in the first phase, but only
-                Estonian eID card support is currently enabled in the test application below.
+                Estonian eID card support is currently enabled in the test application below. Belgian eID support is
+                upcoming.
             </p>
             <p>
                 Please get in touch by email at help@ria.ee in case you need support with adding Web eID to your project
@@ -45,16 +46,26 @@ <h4>Table of contents</h4>
 
             <hr/>
             <h3><a id="usage"></a>Usage</h3>
-            <p>
-                Instructions for installing and testing the latest version in Firefox, Chrome, Edge or Safari:
+            <p>The recommended way of installing Web eID is by installing <a
+                    href="https://www.id.ee/en/article/install-id-software/">the latest Open-EID ID-software package</a>.
+                In case you do not need or want to install the Open-EID package, install the latest Web eID packages in
+                Firefox, Chrome, Edge or Safari according to the following instructions:
             </p>
             <ol>
                 <li>
                     Download and run the Web eID native app and browser extension installer:
                     <ul>
                         <li>on <b>Ubuntu Linux</b>, for Firefox and Chrome, download and execute the<br>
-                            <a href="/scripts/download-install-web-eid.sh"><code>download-install-web-eid.sh</code></a> script from the console with<br>
-                            <code>wget -O - https://<span th:text="${#httpServletRequest.serverName}"/>/scripts/download-install-web-eid.sh | bash</code><br>
+                            <a href="/scripts/download-install-web-eid.sh"><code>download-install-web-eid.sh</code></a>
+                            script from the console with<br>
+                            <code>wget -O - https://<span th:text="${#httpServletRequest.serverName}"/>/scripts/download-install-web-eid.sh
+                                | bash</code><br>
+                            <b>Note that Firefox is installed with Snap in Ubuntu 22.04 or later by default and as the
+                                Snap sandbox does not allow communication with the external native messaging host, Web
+                                eID will not work.</b>
+                            Install Firefox via the Debian package instead of Snap if you want to use Web eID with
+                            Firefox in Ubuntu 22.04+. Instructions how to do that are available <a
+                                    href="https://www.omgubuntu.co.uk/2022/04/how-to-install-firefox-deb-apt-ubuntu-22-04">here</a>.
                         </li>
                         <li>on <b>macOS</b> 10.15 or later, for Firefox and Chrome from <a
                                 href="https://installer.id.ee/media/web-eid/web-eid_2.0.2.565.dmg">here</a>,
@@ -62,9 +73,10 @@ <h3><a id="usage"></a>Usage</h3>
                         <li>on <b>macOS</b> 10.15 or later, for Safari, install the extension from <a
                                 href="https://apps.apple.com/ee/app/web-eid/id1576665083?mt=12">App Store</a>,
                         </li>
-                        <li>on <b>Windows</b> 10,  Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022,
+                        <li>on <b>Windows</b> 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server
+                            2022,
                             for Firefox, Chrome and Edge from <a
-                                href="https://installer.id.ee/media/web-eid/web-eid_2.0.2.566.x64.exe">here</a>.
+                                    href="https://installer.id.ee/media/web-eid/web-eid_2.0.2.566.x64.exe">here</a>.
                         </li>
                     </ul>
                 </li>
@@ -74,6 +86,9 @@ <h3><a id="usage"></a>Usage</h3>
                     the browser or from the browser extensions management page and may need browser restart under
                     certain circumstances.
                 </li>
+            </ol>
+            <p>Testing:</p>
+            <ol>
                 <li>
                     Attach a smart card reader to the computer and insert the eID card into the reader.
                 </li>
@@ -171,7 +186,8 @@ <h3><a id="documentation"></a>Documentation</h3>
             </p>
             <p>
                 Security analysis of the solution is available
-                <a href="https://web-eid.github.io/web-eid-cybernetica-analysis/webextensions-main.pdf">in this document</a>.
+                <a href="https://web-eid.github.io/web-eid-cybernetica-analysis/webextensions-main.pdf">in this
+                    document</a>.
             </p>
             <hr/>
             <h3><a id="for-developers"></a>For developers</h3>
@@ -190,19 +206,24 @@ <h3><a id="for-developers"></a>For developers</h3>
                     <ul>
                         <li>in Java use the <i>web-eid-authtoken-validation-java</i> library in
                             the back end of the web application according to the instructions
-                            <a href="https://github.com/web-eid/web-eid-authtoken-validation-java#quickstart">here</a>,</li>
-                        <li>in .NET/C# use the <i>web-eid-authtoken-validation-dotnet</i> library according to the instructions
-                            <a href="https://github.com/web-eid/web-eid-authtoken-validation-dotnet#quickstart">here</a></li>
+                            <a href="https://github.com/web-eid/web-eid-authtoken-validation-java#quickstart">here</a>,
+                        </li>
+                        <li>in .NET/C# use the <i>web-eid-authtoken-validation-dotnet</i> library according to the
+                            instructions
+                            <a href="https://github.com/web-eid/web-eid-authtoken-validation-dotnet#quickstart">here</a>
+                        </li>
                     </ul>
                 </li>
                 <li>for digital signing
                     <ul>
                         <li>in Java use the <i>digidoc4j</i> library in the back end of the web
                             application according to the instructions
-                            <a href="https://github.com/web-eid/web-eid-spring-boot-example#integration-with-digidoc4j-components">here</a>,</li>
+                            <a href="https://github.com/web-eid/web-eid-spring-boot-example#integration-with-digidoc4j-components">here</a>,
+                        </li>
                         <li>in .NET/C# use the <i>libdigidocpp</i> library in the back end of the web
                             application according to the instructions
-                            <a href="https://github.com/web-eid/web-eid-asp-dotnet-example#3-setup-the-libdigidocpp-library-for-signing">here</a>.</li>
+                            <a href="https://github.com/web-eid/web-eid-asp-dotnet-example#3-setup-the-libdigidocpp-library-for-signing">here</a>.
+                        </li>
                     </ul>
                 </li>
             </ul>

From de4ba2feb284068dbb9bbc428480684b74cdf57a Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Wed, 31 Aug 2022 17:42:11 +0300
Subject: [PATCH 057/116] docs(index.html): add section how to verify if
 debugging works as requested by web-eid-app/issues/214

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 example/src/main/resources/templates/index.html | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/example/src/main/resources/templates/index.html b/example/src/main/resources/templates/index.html
index 9acce57..a235be1 100644
--- a/example/src/main/resources/templates/index.html
+++ b/example/src/main/resources/templates/index.html
@@ -128,7 +128,7 @@ <h5>macOS</h5>
             <h5>Windows</h5>
             <p>Uninstall the Web eID software using <i>Add or remove programs</i>.</p>
 
-            <h4>Debugging and logs</h4>
+            <h4><a id="debugging-and-logs"></a>Debugging and logs</h4>
             <ul>
                 <li>
                     To debug the extension, open the extension page and select
@@ -173,6 +173,10 @@ <h4>Debugging and logs</h4>
                         </li>
                     </ul>
                 </li>
+                <li>
+                    You can verify if debugging works by executing the native application <code>web-eid</code> manually,
+                    there will be an informative message in the logs.
+                </li>
             </ul>
 
             <hr/>

From e514fb280dd66a34acacbf34639c29ff1cb596d6 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Fri, 14 Oct 2022 20:10:22 +0300
Subject: [PATCH 058/116] deps(web-eid-authtoken-validation): bump
 authtoken-validation version to v2.1.0

---
 example/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/example/pom.xml b/example/pom.xml
index 2f8c1c0..8768f36 100644
--- a/example/pom.xml
+++ b/example/pom.xml
@@ -20,7 +20,7 @@
 		<java.version>1.8</java.version>
 		<maven-surefire-plugin.version>2.22.1</maven-surefire-plugin.version>
 		<caffeine.version>2.8.5</caffeine.version>
-		<webeid.version>2.0.1</webeid.version>
+		<webeid.version>2.1.0</webeid.version>
 		<digidoc4j.version>4.3.0</digidoc4j.version>
 		<guava.version>31.1-jre</guava.version>
 		<okhttp.version>4.10.0</okhttp.version>

From 4a8070739dd1a4369bbb90c14da67675e023879d Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Mon, 7 Nov 2022 21:34:31 +0200
Subject: [PATCH 059/116] refactor,fix: fix logging package name in
 application.yaml, enable support for ESTEID 2015 test certificates in
 development profile

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 .../webeid/example/config/ValidationConfiguration.java | 10 +++++++---
 example/src/main/resources/application.yaml            |  4 ++--
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/example/src/main/java/eu/webeid/example/config/ValidationConfiguration.java b/example/src/main/java/eu/webeid/example/config/ValidationConfiguration.java
index f5419f2..4fcc505 100644
--- a/example/src/main/java/eu/webeid/example/config/ValidationConfiguration.java
+++ b/example/src/main/java/eu/webeid/example/config/ValidationConfiguration.java
@@ -126,11 +126,15 @@ public X509Certificate[] loadTrustedCACertificatesFromTrustStore() {
     @Bean
     public AuthTokenValidator validator() {
         try {
-            return new AuthTokenValidatorBuilder()
+            AuthTokenValidatorBuilder validatorBuilder = new AuthTokenValidatorBuilder()
                     .withSiteOrigin(URI.create(yamlConfig().getLocalOrigin()))
                     .withTrustedCertificateAuthorities(loadTrustedCACertificatesFromCerFiles())
-                    .withTrustedCertificateAuthorities(loadTrustedCACertificatesFromTrustStore())
-                    .build();
+                    .withTrustedCertificateAuthorities(loadTrustedCACertificatesFromTrustStore());
+            if (activeProfile.equals("dev")) {
+                // Enable support for ESTEID 2015 test certificates in development profile.
+                validatorBuilder = validatorBuilder.withNonceDisabledOcspUrls(URI.create("http://aia.demo.sk.ee/esteid2015"));
+            }
+            return validatorBuilder.build();
         } catch (JceException e) {
             throw new RuntimeException("Error building the Web eID auth token validator.", e);
         }
diff --git a/example/src/main/resources/application.yaml b/example/src/main/resources/application.yaml
index b235fef..df3117c 100644
--- a/example/src/main/resources/application.yaml
+++ b/example/src/main/resources/application.yaml
@@ -14,6 +14,6 @@ server:
 
 logging:
   level:
-    org.webeid.security: DEBUG
-    org.webeid.example: DEBUG
+    eu.webeid.security: DEBUG
+    eu.webeid.example: DEBUG
     org.springframework.security.web.csrf.CsrfFilter: DEBUG

From a3285a665f42b584dab3171a9c2d902532dcdb5e Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Wed, 9 Nov 2022 21:11:02 +0200
Subject: [PATCH 060/116] feat: add support for organization certificates

---
 .../security/WebEidAuthentication.java        |   9 +++++--
 .../src/main/resources/application-dev.yaml   |   2 +-
 .../certs/dev/TEST_of_KLASS3-SK_2016.cer      | Bin 0 -> 1741 bytes
 .../security/WebEidAuthenticationTest.java    |  23 ++++++++++++++++++
 4 files changed, 31 insertions(+), 3 deletions(-)
 create mode 100644 example/src/main/resources/certs/dev/TEST_of_KLASS3-SK_2016.cer
 create mode 100644 example/src/test/java/eu/webeid/example/security/WebEidAuthenticationTest.java

diff --git a/example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java b/example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java
index 16a4306..c996698 100644
--- a/example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java
+++ b/example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java
@@ -52,8 +52,13 @@ private WebEidAuthentication(String principalName, String idCode, List<GrantedAu
     }
 
     private static String getPrincipalNameFromCertificate(X509Certificate userCertificate) throws CertificateEncodingException {
-        return Objects.requireNonNull(CertificateData.getSubjectGivenName(userCertificate)) + ' ' +
-                Objects.requireNonNull(CertificateData.getSubjectSurname(userCertificate));
+        try {
+            return Objects.requireNonNull(CertificateData.getSubjectGivenName(userCertificate)) + ' ' +
+                    Objects.requireNonNull(CertificateData.getSubjectSurname(userCertificate));
+        } catch (CertificateEncodingException e) {
+            // Organization certificates do not have given name and surname fields.
+            return Objects.requireNonNull(CertificateData.getSubjectCN(userCertificate));
+        }
     }
 
 }
diff --git a/example/src/main/resources/application-dev.yaml b/example/src/main/resources/application-dev.yaml
index 748b53f..9c63732 100644
--- a/example/src/main/resources/application-dev.yaml
+++ b/example/src/main/resources/application-dev.yaml
@@ -1,4 +1,4 @@
 web-eid-auth-token:
   validation:
     use-digidoc4j-prod-configuration: false
-    local-origin: "https://528bc9f21520.ngrok.io"
+    local-origin: "https://test.web-eid.eu"
diff --git a/example/src/main/resources/certs/dev/TEST_of_KLASS3-SK_2016.cer b/example/src/main/resources/certs/dev/TEST_of_KLASS3-SK_2016.cer
new file mode 100644
index 0000000000000000000000000000000000000000..190f6de7e83bbb980d0f5c932dff55022fbd8f47
GIT binary patch
literal 1741
zcmb7EYfuwc6y8lX;T0ky5wL&+AAlg)yD>ae6w;WAqE!h}6>W^kMq_}4-9!+C5{ifg
zVSLqE1QEqL9nk?BN_D_EMBWNIDx&pK5%B?3MFF4f21RWDbUHit?tb4r_wG68p7VhW
zW+TX8lo!)!FpcIA!xATV`n4ZeE_P<r-TUecuxHx%W`$=B+QTr50fAJ^4%jg1%Mhj`
zO)SPH0<Hzvvc?M~TnSF-R7#bO#Bo9ury|ujsn(Mi06dEgo#h=RmPBziO0HPU6}`8W
z%XBJDJcZ(Q1kR1rXmnhW5OV=eAOC6tJK1Q}sxVT`!*MXd*&YkT_#glT@q<CYN@x4&
z0OMmpA0RN~{eS;FfrrIEJC@781JL1kyq?4rm@^n>F_E#@Uq(fW#r_xw5(EKkI_3e~
z-^b=O5?jPVp+qv>UlPIP11u0^&?bJGLYM*3GiYNVinpa@&|s(;8CSYc9aCX_Uko>G
zU--JNJ{ZZ1sBG;TxYe_XY`WLeu`Ssvq^zPJb*O8Uvho)=*gN+wVRVR|q=!93jHVf;
z7YS8|_^W?)4GrkRUi%NtQSPYSn)cFpMP<!WpB1Sb*YdRo9p{+sV84XV(1eFxqRpEp
zpOjdS>1!)}<#%6%m@c;Ytnw*%n<6R8zNRkv(@ld-=kKd-72e%h%{qNHrMo^}TtC*G
zxGWBaQ};M_XA|B(hbQUh+<+es&<=Xms$2U~U+h2r=tjJ>CM?Opt|jx4psitEy*52X
zG0iA0AKIJgzfsL|t(<BOF%XzMaklKri9nYnGkbS*t^1M7PJ1f#t4uY*+I{jtdSI<f
zMOj3$o2R0=cw1)8FD=47r)s>HpBb3CwQ!bGm2Ix$nZo@^va|fI{fN%C<H5B1QvaML
z`}_Qc%*4uF^FCkm{ckV&4?INBK7JAX%>jAwkr-37F@JKAEOKUwuS0rdoIG}oN&m8;
zu-<pDJSc6;;RfaT`OzHXD>y7AciEKmmW}#3MJ1@RUmMzP5}@1nCT%Vooadi0;hamz
ztGLpNs&R`I>~E^g-ghJ0BQ8%;loUp<-8DYWya^gSS{pMfVCP=BZ|BWq-t9>%ANaT|
zK&L>D(t53M^H0JVeg#8rSFRT3y{m|*sP;<0d=?p|78z)C7=jOF&@ieZ{J~hNnA{y<
z_%Fm7FsT<+Ab@S*##lInYSB7i7_bmr#Lx!}kAdM^ri~vHM&Jt`R&=nDYDa4dG8k4g
z*om`Vr_;_v(Zs|=-f;V%axDoWKU&bh7Zc_}LWqR)kd7K8ghSlnnV_%=Qc^<=$*4yM
z@u(FMq=5)XJ3L!Bi}ieHF2n=YOy)WRi_#B(j=Dnw7IpY9cc`rhl%EX4l&n}GP)<)6
z^*KUXjgs`?PIG4?P6&tRntvKb1w+>XlC$dUvsF_%uMG}2vHK*1(vEbFQD9qGiaMO@
z_GH(X%kg=x^o{R;A$!Cb7)CaO<Wc7UoHddwjhxheNR~(lqDOWBTGj$fHc2X-?^CJQ
z#%g2=RH=%^Nz~H(QjJn77EAvjY!tExo75s~Qjw6SzzLq5&;gO<3O$ezFcSn92Nnym
z_#=mp-W7psHKa<XAvU3MB9=sTIH{B3xLi)iWz-?DpUMiQ%=8QxhGMMLH64$O9}A+0
zXqVkhjK*-K+lC*`9cdPqy=^SmjSK~>_DYa_XIekxtS}nq_tgHLbpF)hX5rpT^P864
zIsKsVNxXGuo`8O`t(ClU1f6{mY$&OX4*&Xfd(oDO>pe6crMGs*w-C=biwc(JmT)=8
zv(GQe?=qC$>$G`_$+9j!_qGkaw13;t*62&)bM=$h?jin1H=PYz-`#e2#%s`PSas_7
zZPx>N{HoH+o>$qNra$~T%x^;7`f4-dOgB!fcz3Kk@>0%#xt<@MRsCZ84EN$=Y0sh7
v-An4f;d)=}dt;pn$K*2liKZ%-^RCr5+e2UK2e$SXUB6&gwTE64x6=7<o{DoD

literal 0
HcmV?d00001

diff --git a/example/src/test/java/eu/webeid/example/security/WebEidAuthenticationTest.java b/example/src/test/java/eu/webeid/example/security/WebEidAuthenticationTest.java
new file mode 100644
index 0000000..630cf49
--- /dev/null
+++ b/example/src/test/java/eu/webeid/example/security/WebEidAuthenticationTest.java
@@ -0,0 +1,23 @@
+package eu.webeid.example.security;
+
+import eu.webeid.security.certificate.CertificateLoader;
+import org.junit.jupiter.api.Test;
+import org.springframework.security.core.Authentication;
+
+import java.security.cert.X509Certificate;
+import java.util.Collections;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+class WebEidAuthenticationTest {
+
+    private static final String ORGANIZATION_CERT = "MIIF2zCCA8OgAwIBAgIQJs4xyGoNzixjYmV9gUjYljANBgkqhkiG9w0BAQsFADCBjjELMAkGA1UEBhMCRUUxIjAgBgNVBAoMGUFTIFNlcnRpZml0c2VlcmltaXNrZXNrdXMxITAfBgNVBAsMGFNlcnRpZml0c2VlcmltaXN0ZWVudXNlZDEXMBUGA1UEYQwOTlRSRUUtMTA3NDcwMTMxHzAdBgNVBAMMFlRFU1Qgb2YgS0xBU1MzLVNLIDIwMTYwHhcNMjIxMTAyMTI0MTA0WhcNMjUxMjAxMTI0MTA0WjB7MREwDwYDVQQFEwgxMjI3NjI3OTERMA8GA1UECAwISGFyanVtYWExEDAOBgNVBAcMB1RhbGxpbm4xCzAJBgNVBAYTAkVFMRAwDgYDVQQKDAdUVFQgT8OcMSIwIAYDVQQDDBlUZXN0aWphZC5lZSBpc2lrdXR1dmFzdHVzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzSV4zydk5WY2AuUJ50lNpH3q2C+WH0dE/wqq4nFqpNYkyzFNHecFDFlU0YcpPrhFKDZfJtaAP/drvmdqaVdAcCGIPnXhZ+01pCvmlebe7//kQXaZ6ZHS3EAtwy0EBsVVOMapw1kC58YYymlJhTrdzDFrqjdgv1t1Ph9Gkg/PhaHvqGtKp3IY+v33EwxEV3nPIhZHHC/d0YnzVaN5QiSHbU+mRt8+d2vHPNPNY3qVDh8MPOrJIDeIHp9oSS1+FF4crnvfxmg99d7zemsSstR8/SXedYuvWZb6iSybAjhucp21uF0tcqJ2k6+ZH/976AEy0IC8r4tgf7r70hhYu6KOOQIDAQABo4IBRTCCAUEwCQYDVR0TBAIwADBUBgNVHSAETTBLMDIGCysGAQQBzh8HAQIGMCMwIQYIKwYBBQUHAgEWFWh0dHBzOi8vd3d3LnNrLmVlL2NwczAIBgYEAI96AQEwCwYJKwYBBAHOHwkDMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFC4bj7sBLzT42jAEi1zB8lwl49j3MA4GA1UdDwEB/wQEAwIEsDAdBgNVHQ4EFgQUbNSRZSddDUofhxlpoSVEunofez8weQYIKwYBBQUHAQEEbTBrMC0GCCsGAQUFBzABhiFodHRwOi8vYWlhLmRlbW8uc2suZWUva2xhc3MzLTIwMTYwOgYIKwYBBQUHMAKGLmh0dHBzOi8vYy5zay5lZS9URVNUX29mX0tMQVNTMy1TS18yMDE2LmRlci5jcnQwDQYJKoZIhvcNAQELBQADggIBAE8Z/GIEfPWGMe1fHYqCQ2v3zSOuIzyeEId595wrknl7IcLY8ogG10oDUw6rDWQ6jMBS5PINUG+WpH6Wo8qxkPY5Dz4WQvBB2qnuJTH3Bvm/PFpsD1Jk7dOF35P4kfX63NnsCkccRxwlhjFE56WdxDOwhC+neF5FP4hvYvbIIK73DVxRg6yBe4i/Y/g5MOXKrzpHvRzMTURqR3lF0dAgIwMNluik4so/B2DIXMYHi6jZVJlwdQriyL7HI4/Ub3QwyTrbfJtXkwWINsMaCFG+Ccjae3TVRFDJvIIE/gQd4wEh+PK0RJBYfOnAypFEKyH+giID7LIAnO90MY6mNl1QSLQWrdlqMxv+fDdEi/JwGLZyHzEOxKs9C4S8zngwCiDFBHMtJcL9A1vq512yBz5aXYwlqcmjcQDegLT6s6otu+AXO8ZOdqsA+/ak7BEl0FUWlsc8yLKa4cuLiV68iArfl+VFVIZ+jgdMplwUuf5c2QN5f0gPZZxkiAXQ8D8qssW1yI+dLCuPXPwyMENGxWTzyodcSdkpZsdIyOg7/o+WK3RczvMjjT8X8F4XKo8JPjZBYyGBx5XkqhwVrX3SjEmRPFdcvy+glYRoTslgM2fsj5fSNxCIsq1fQN8yVjYnxk8/X53AsorcpWpLMHxtoxT+YvNZzryY00QjS5kgUQBNmFaU";
+
+    @Test
+    void whenOrganizationCertificate_thenSucceeds() throws Exception {
+        final X509Certificate certificate = CertificateLoader.decodeCertificateFromBase64(ORGANIZATION_CERT);
+        final Authentication authentication = WebEidAuthentication.fromCertificate(certificate, Collections.emptyList());
+        assertThat(authentication.getPrincipal()).isEqualTo("Testijad.ee isikutuvastus");
+    }
+
+}
\ No newline at end of file

From e65499eef36f179990e7f19ed7a357b98e742053 Mon Sep 17 00:00:00 2001
From: Kristel Merilain <kristel.merilain@ria.ee>
Date: Wed, 16 Nov 2022 10:04:14 +0200
Subject: [PATCH 061/116] Add bullseye, Linux Mint 21 and kinetic and remove
 impish support

---
 .../scripts/download-install-web-eid.sh       | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/example/src/main/resources/static/scripts/download-install-web-eid.sh b/example/src/main/resources/static/scripts/download-install-web-eid.sh
index 6fc4cf8..305bb04 100755
--- a/example/src/main/resources/static/scripts/download-install-web-eid.sh
+++ b/example/src/main/resources/static/scripts/download-install-web-eid.sh
@@ -61,10 +61,10 @@ test_sudo
 # version   name    LTS   supported until
 # 18.04     bionic  LTS   2023-04
 # 20.04     focal   LTS   2025-04
-# 21.10     impish   -    2022-07
 # 22.04     jammy   LTS   2027-04
-LATEST_SUPPORTED_UBUNTU_CODENAME='jammy'
-LATEST_SUPPORTED_UBUNTU_VERSION='22.04'
+# 22.10     kinetic   -   2023-07
+LATEST_SUPPORTED_UBUNTU_CODENAME='kinetic'
+LATEST_SUPPORTED_UBUNTU_VERSION='22.10'
 
 # Check the distro and release.
 distro=$(lsb_release -is | tr '[:upper:]' '[:lower:]')
@@ -80,6 +80,11 @@ case $distro in
           make_warn "Installing from ubuntu-bionic repository"
           make_install '18.04'
           ;;
+        bullseye)
+          make_warn "Debian $codename is not officially supported"
+          make_warn "Installing from ubuntu-focal repository"
+          make_install '20.04'
+          ;;
         *)
           make_fail "Debian $codename is not officially supported"
           ;;
@@ -91,10 +96,10 @@ case $distro in
          *) ;;
       esac
       case $codename in
-        utopic|vivid|wily|trusty|artful|cosmic|disco|xenial|eoan|groovy|hirsute)
+        utopic|vivid|wily|trusty|artful|cosmic|disco|xenial|eoan|groovy|hirsute|impish)
           make_fail "Ubuntu $codename is not officially supported"
           ;;
-        bionic|focal|impish|jammy)
+        bionic|focal|jammy|kinetic)
           make_install $release
           ;;
         *)
@@ -106,6 +111,10 @@ case $distro in
       ;;
    linuxmint)
       case $release in
+        21*)
+          make_warn "Linuxmint 21 is not officially supported"
+          make_install '22.04'
+          ;;
         20*)
           make_warn "Linuxmint 20 is not officially supported"
           make_install '20.04'

From c4f9eb499b38e5d1f75510048cd6a481296be668 Mon Sep 17 00:00:00 2001
From: Kristel Merilain <kristel.merilain@ria.ee>
Date: Tue, 29 Nov 2022 10:42:18 +0200
Subject: [PATCH 062/116] Update Ubuntu package version

---
 .../main/resources/static/scripts/download-install-web-eid.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/example/src/main/resources/static/scripts/download-install-web-eid.sh b/example/src/main/resources/static/scripts/download-install-web-eid.sh
index 305bb04..9eb1148 100755
--- a/example/src/main/resources/static/scripts/download-install-web-eid.sh
+++ b/example/src/main/resources/static/scripts/download-install-web-eid.sh
@@ -34,9 +34,9 @@ make_install() {
   echo "Installing Web eID packages for Ubuntu $1"
   TMPDIR=`mktemp -d`
   cd $TMPDIR
-  VERSION='2.0.2'
+  VERSION='2.2.0'
   # BUILD=`[[ $1 == *0 ]] && echo 555 || echo 552`
-  BUILD='565'
+  BUILD='572'
   UBUNTU_VERSION=${1//./}
   wget "https://installer.id.ee/media/web-eid/Ubuntu/web-eid_${VERSION}.${BUILD}-${UBUNTU_VERSION}_all.deb"
   wget "https://installer.id.ee/media/web-eid/Ubuntu/web-eid-chrome_${VERSION}.${BUILD}-${UBUNTU_VERSION}_all.deb"

From 3a6cf180ca63ba9e843b8166d3a8f26e5e7a5566 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mart=20S=C3=B5mermaa?= <mrts.pydev@gmail.com>
Date: Wed, 30 Nov 2022 21:49:08 +0200
Subject: [PATCH 063/116] docs(README): explain how to run the application with
 prod profile

---
 example/README.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/example/README.md b/example/README.md
index 38ad601..5df01c3 100644
--- a/example/README.md
+++ b/example/README.md
@@ -59,6 +59,12 @@ Build and run the application with the following command in a terminal window:
 
 This will activate the default `dev` profile and launch the built-in Tomcat web server on port 8080 that was forwarded using _ngrok_ in step 1.
 
+If you want to use the `prod` profile, build and run the application with the following command:
+
+```sh
+./mvnw -Pprod -Dspring-boot.run.profiles=prod spring-boot:run
+```
+
 When the application has started, open the _ngrok_ HTTPS URL in your preferred web browser and follow instructions on the front page.
 
 ## Table of contents

From 7420e22d41d255bdf7799c967980ba96abeed25f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mart=20S=C3=B5mermaa?= <mrts.pydev@gmail.com>
Date: Wed, 30 Nov 2022 22:02:45 +0200
Subject: [PATCH 064/116] docs(README): add CertificateNotTrustedException to
 FAQ

---
 example/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/example/README.md b/example/README.md
index 5df01c3..55049e7 100644
--- a/example/README.md
+++ b/example/README.md
@@ -259,5 +259,5 @@ When running the application with the `dev` profile in test mode, you need to up
 
 ### Why do I get the `401 Unauthorized "Authentication failed: Web eID token validation failed"` response during authentication?
 
-One possible reason is that you are using the test ID card on a site that is running in production mode or, vice-versa, a real ID card on a site that is running in test mode; or any other ID card whose certificate authority has not been added to the list of trusted certificate authorities.
+One possible reason is that you are using the test ID card on a site that is running in production mode or, vice-versa, a real ID card on a site that is running in test mode; or any other ID card whose certificate authority has not been added to the list of trusted certificate authorities. There will be a `CertificateNotTrustedException` in the logs in this case.
 

From 533f421422d0623b774d83978a930d599211c1eb Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Tue, 27 Dec 2022 23:15:06 +0200
Subject: [PATCH 065/116] release: Web eID release v2.2.0, PHP validation
 library published

---
 example/pom.xml                                 |  4 ++--
 example/src/main/resources/static/js/web-eid.js | 12 ++----------
 example/src/main/resources/templates/index.html | 14 ++++++++++----
 3 files changed, 14 insertions(+), 16 deletions(-)

diff --git a/example/pom.xml b/example/pom.xml
index 8768f36..f16f38c 100644
--- a/example/pom.xml
+++ b/example/pom.xml
@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>2.7.2</version>
+		<version>2.7.7</version>
 		<relativePath/> <!-- lookup parent from repository -->
 	</parent>
 	<groupId>org.webeid.example</groupId>
@@ -20,7 +20,7 @@
 		<java.version>1.8</java.version>
 		<maven-surefire-plugin.version>2.22.1</maven-surefire-plugin.version>
 		<caffeine.version>2.8.5</caffeine.version>
-		<webeid.version>2.1.0</webeid.version>
+		<webeid.version>2.1.1</webeid.version>
 		<digidoc4j.version>4.3.0</digidoc4j.version>
 		<guava.version>31.1-jre</guava.version>
 		<okhttp.version>4.10.0</okhttp.version>
diff --git a/example/src/main/resources/static/js/web-eid.js b/example/src/main/resources/static/js/web-eid.js
index 803c911..ee9b770 100644
--- a/example/src/main/resources/static/js/web-eid.js
+++ b/example/src/main/resources/static/js/web-eid.js
@@ -1,7 +1,7 @@
 /**
  * MIT License
  *
- * Copyright (c) 2020-2021 Estonian Information System Authority
+ * Copyright (c) 2020-2022 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
@@ -48,20 +48,12 @@ var ErrorCode;
 (function (ErrorCode) {
     ErrorCode["ERR_WEBEID_ACTION_TIMEOUT"] = "ERR_WEBEID_ACTION_TIMEOUT";
     ErrorCode["ERR_WEBEID_USER_TIMEOUT"] = "ERR_WEBEID_USER_TIMEOUT";
-    ErrorCode["ERR_WEBEID_SERVER_TIMEOUT"] = "ERR_WEBEID_SERVER_TIMEOUT";
     ErrorCode["ERR_WEBEID_VERSION_MISMATCH"] = "ERR_WEBEID_VERSION_MISMATCH";
     ErrorCode["ERR_WEBEID_VERSION_INVALID"] = "ERR_WEBEID_VERSION_INVALID";
     ErrorCode["ERR_WEBEID_EXTENSION_UNAVAILABLE"] = "ERR_WEBEID_EXTENSION_UNAVAILABLE";
     ErrorCode["ERR_WEBEID_NATIVE_UNAVAILABLE"] = "ERR_WEBEID_NATIVE_UNAVAILABLE";
     ErrorCode["ERR_WEBEID_UNKNOWN_ERROR"] = "ERR_WEBEID_UNKNOWN_ERROR";
     ErrorCode["ERR_WEBEID_CONTEXT_INSECURE"] = "ERR_WEBEID_CONTEXT_INSECURE";
-    ErrorCode["ERR_WEBEID_PROTOCOL_INSECURE"] = "ERR_WEBEID_PROTOCOL_INSECURE";
-    ErrorCode["ERR_WEBEID_TLS_CONNECTION_BROKEN"] = "ERR_WEBEID_TLS_CONNECTION_BROKEN";
-    ErrorCode["ERR_WEBEID_TLS_CONNECTION_INSECURE"] = "ERR_WEBEID_TLS_CONNECTION_INSECURE";
-    ErrorCode["ERR_WEBEID_TLS_CONNECTION_WEAK"] = "ERR_WEBEID_TLS_CONNECTION_WEAK";
-    ErrorCode["ERR_WEBEID_CERTIFICATE_CHANGED"] = "ERR_WEBEID_CERTIFICATE_CHANGED";
-    ErrorCode["ERR_WEBEID_ORIGIN_MISMATCH"] = "ERR_WEBEID_ORIGIN_MISMATCH";
-    ErrorCode["ERR_WEBEID_SERVER_REJECTED"] = "ERR_WEBEID_SERVER_REJECTED";
     ErrorCode["ERR_WEBEID_USER_CANCELLED"] = "ERR_WEBEID_USER_CANCELLED";
     ErrorCode["ERR_WEBEID_NATIVE_INVALID_ARGUMENT"] = "ERR_WEBEID_NATIVE_INVALID_ARGUMENT";
     ErrorCode["ERR_WEBEID_NATIVE_FATAL"] = "ERR_WEBEID_NATIVE_FATAL";
@@ -112,7 +104,7 @@ class ExtensionUnavailableError extends Error {
 }
 
 var config = Object.freeze({
-    VERSION: "2.0.0",
+    VERSION: "2.0.1",
     EXTENSION_HANDSHAKE_TIMEOUT: 1000,
     NATIVE_APP_HANDSHAKE_TIMEOUT: 5 * 1000,
     DEFAULT_USER_INTERACTION_TIMEOUT: 2 * 60 * 1000,
diff --git a/example/src/main/resources/templates/index.html b/example/src/main/resources/templates/index.html
index a235be1..e24d4c7 100644
--- a/example/src/main/resources/templates/index.html
+++ b/example/src/main/resources/templates/index.html
@@ -68,7 +68,7 @@ <h3><a id="usage"></a>Usage</h3>
                                     href="https://www.omgubuntu.co.uk/2022/04/how-to-install-firefox-deb-apt-ubuntu-22-04">here</a>.
                         </li>
                         <li>on <b>macOS</b> 10.15 or later, for Firefox and Chrome from <a
-                                href="https://installer.id.ee/media/web-eid/web-eid_2.0.2.565.dmg">here</a>,
+                                href="https://installer.id.ee/media/web-eid/web-eid_2.2.0.572.dmg">here</a>,
                         </li>
                         <li>on <b>macOS</b> 10.15 or later, for Safari, install the extension from <a
                                 href="https://apps.apple.com/ee/app/web-eid/id1576665083?mt=12">App Store</a>,
@@ -76,7 +76,7 @@ <h3><a id="usage"></a>Usage</h3>
                         <li>on <b>Windows</b> 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server
                             2022,
                             for Firefox, Chrome and Edge from <a
-                                    href="https://installer.id.ee/media/web-eid/web-eid_2.0.2.566.x64.exe">here</a>.
+                                    href="https://installer.id.ee/media/web-eid/web-eid_2.2.0.572.x64.exe">here</a>.
                         </li>
                     </ul>
                 </li>
@@ -196,10 +196,10 @@ <h3><a id="documentation"></a>Documentation</h3>
             <hr/>
             <h3><a id="for-developers"></a>For developers</h3>
             <p>
-                Currently the Web eID back-end libraries are available for Java and .NET web applications.
+                Currently the Web eID back-end libraries are available for Java, .NET and PHP web applications.
             </p>
             <p>
-                To implement authentication and digital signing with Web eID in a Java or .NET web application,
+                To implement authentication and digital signing with Web eID in a Java, .NET or PHP web application,
                 you need to
             <ul>
                 <li>use the <i>web-eid.js</i> JavaScript library in the front end of the web application
@@ -216,6 +216,10 @@ <h3><a id="for-developers"></a>For developers</h3>
                             instructions
                             <a href="https://github.com/web-eid/web-eid-authtoken-validation-dotnet#quickstart">here</a>
                         </li>
+                        <li>in PHP use the <i>web-eid-authtoken-validation-php</i> library according to the
+                            instructions
+                            <a href="https://github.com/web-eid/web-eid-authtoken-validation-php#quickstart">here</a>
+                        </li>
                     </ul>
                 </li>
                 <li>for digital signing
@@ -237,6 +241,8 @@ <h3><a id="for-developers"></a>For developers</h3>
                 <a href="https://github.com/web-eid/web-eid-spring-boot-example">here</a>.
                 The .NET/C# version of the example is available
                 <a href="https://github.com/web-eid/web-eid-asp-dotnet-example">here</a>.
+                The PHP version of the example is available
+                <a href="https://github.com/web-eid/web-eid-authtoken-validation-php/tree/main/examples">here</a>.
             </p>
         </div>
     </div>

From 1693dbd214ae42310fc979a67bbffdca53edf8fa Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Fri, 20 Jan 2023 19:32:08 +0200
Subject: [PATCH 066/116] docs(index.html): Belgian cards are supported now

---
 example/src/main/resources/templates/index.html | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/example/src/main/resources/templates/index.html b/example/src/main/resources/templates/index.html
index e24d4c7..2f45906 100644
--- a/example/src/main/resources/templates/index.html
+++ b/example/src/main/resources/templates/index.html
@@ -27,9 +27,8 @@ <h2>Web eID: electronic ID smart cards on the Web</h2>
                 secure authentication and digital signing of documents on the web using public-key cryptography.
             </p>
             <p>
-                Estonian, Finnish, Latvian, Lithuanian and Croatian eID cards are supported in the first phase, but only
-                Estonian eID card support is currently enabled in the test application below. Belgian eID support is
-                upcoming.
+                Estonian, Finnish, Latvian, Lithuanian, Belgian and Croatian eID cards are supported in the first phase,
+                but only Estonian eID card support is currently enabled in the test application below.
             </p>
             <p>
                 Please get in touch by email at help@ria.ee in case you need support with adding Web eID to your project

From 282dec2886355bddfa6a2477567599a565262680 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Fri, 20 Jan 2023 19:52:30 +0200
Subject: [PATCH 067/116] chore: update copyright year

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 .../WebEidSpringbootExampleApplication.java   |  2 +-
 .../config/ApplicationConfiguration.java      |  2 +-
 .../config/SameSiteCookieConfiguration.java   |  2 +-
 .../SessionBackedChallengeNonceStore.java     | 22 +++++++++++++++++++
 .../config/ValidationConfiguration.java       |  2 +-
 .../eu/webeid/example/config/YAMLConfig.java  |  2 +-
 .../AuthTokenDTOAuthenticationProvider.java   |  2 +-
 .../WebEidAjaxLoginProcessingFilter.java      |  2 +-
 .../security/WebEidAuthentication.java        |  2 +-
 .../AjaxAuthenticationFailureHandler.java     |  2 +-
 .../AjaxAuthenticationSuccessHandler.java     |  2 +-
 .../example/security/dto/AuthTokenDTO.java    |  2 +-
 .../example/service/SigningService.java       |  2 +-
 .../example/service/dto/CertificateDTO.java   |  2 +-
 .../example/service/dto/ChallengeDTO.java     |  2 +-
 .../webeid/example/service/dto/DigestDTO.java |  2 +-
 .../webeid/example/service/dto/FileDTO.java   |  2 +-
 .../service/dto/SignatureAlgorithmDTO.java    |  2 +-
 .../example/service/dto/SignatureDTO.java     |  2 +-
 .../webeid/example/web/WelcomeController.java |  2 +-
 .../example/web/rest/ChallengeController.java |  2 +-
 .../example/web/rest/SigningController.java   |  2 +-
 .../src/main/resources/static/js/errors.js    |  2 +-
 .../src/main/resources/static/js/web-eid.js   |  2 +-
 .../AuthenticationRestControllerTest.java     |  2 +-
 .../eu/webeid/example/DateMockingTest.java    |  2 +-
 .../eu/webeid/example/WebApplicationTest.java |  2 +-
 .../eu/webeid/example/testutil/Dates.java     |  2 +-
 .../webeid/example/testutil/HttpHelper.java   |  2 +-
 .../webeid/example/testutil/ObjectMother.java |  2 +-
 30 files changed, 51 insertions(+), 29 deletions(-)

diff --git a/example/src/main/java/eu/webeid/example/WebEidSpringbootExampleApplication.java b/example/src/main/java/eu/webeid/example/WebEidSpringbootExampleApplication.java
index 8336b75..2af43ab 100644
--- a/example/src/main/java/eu/webeid/example/WebEidSpringbootExampleApplication.java
+++ b/example/src/main/java/eu/webeid/example/WebEidSpringbootExampleApplication.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) 2020-2023 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java b/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java
index d29add3..0b5c2dc 100644
--- a/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java
+++ b/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) 2020-2023 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/config/SameSiteCookieConfiguration.java b/example/src/main/java/eu/webeid/example/config/SameSiteCookieConfiguration.java
index 4803cf9..1b87329 100644
--- a/example/src/main/java/eu/webeid/example/config/SameSiteCookieConfiguration.java
+++ b/example/src/main/java/eu/webeid/example/config/SameSiteCookieConfiguration.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2021 The Web eID Project
+ * Copyright (c) 2020-2023 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/config/SessionBackedChallengeNonceStore.java b/example/src/main/java/eu/webeid/example/config/SessionBackedChallengeNonceStore.java
index c9021ca..054c93c 100644
--- a/example/src/main/java/eu/webeid/example/config/SessionBackedChallengeNonceStore.java
+++ b/example/src/main/java/eu/webeid/example/config/SessionBackedChallengeNonceStore.java
@@ -1,3 +1,25 @@
+/*
+ * Copyright (c) 2020-2023 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
 package eu.webeid.example.config;
 
 import org.jetbrains.annotations.NotNull;
diff --git a/example/src/main/java/eu/webeid/example/config/ValidationConfiguration.java b/example/src/main/java/eu/webeid/example/config/ValidationConfiguration.java
index 4fcc505..26c6e0e 100644
--- a/example/src/main/java/eu/webeid/example/config/ValidationConfiguration.java
+++ b/example/src/main/java/eu/webeid/example/config/ValidationConfiguration.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020, 2021 The Web eID Project
+ * Copyright (c) 2020-2023 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/config/YAMLConfig.java b/example/src/main/java/eu/webeid/example/config/YAMLConfig.java
index 5c874ef..e8fecd3 100644
--- a/example/src/main/java/eu/webeid/example/config/YAMLConfig.java
+++ b/example/src/main/java/eu/webeid/example/config/YAMLConfig.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) 2020-2023 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/security/AuthTokenDTOAuthenticationProvider.java b/example/src/main/java/eu/webeid/example/security/AuthTokenDTOAuthenticationProvider.java
index 8cc05ac..95ea1ee 100644
--- a/example/src/main/java/eu/webeid/example/security/AuthTokenDTOAuthenticationProvider.java
+++ b/example/src/main/java/eu/webeid/example/security/AuthTokenDTOAuthenticationProvider.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020, 2021 The Web eID Project
+ * Copyright (c) 2020-2023 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java b/example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java
index 0d8ed01..de319eb 100644
--- a/example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java
+++ b/example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) 2020-2023 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java b/example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java
index c996698..1726ff1 100644
--- a/example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java
+++ b/example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2021 The Web eID Project
+ * Copyright (c) 2020-2023 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationFailureHandler.java b/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationFailureHandler.java
index a21e7e9..d7c308e 100644
--- a/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationFailureHandler.java
+++ b/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationFailureHandler.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) 2020-2023 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationSuccessHandler.java b/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationSuccessHandler.java
index 4567db7..e1e0db0 100644
--- a/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationSuccessHandler.java
+++ b/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationSuccessHandler.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) 2020-2023 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/security/dto/AuthTokenDTO.java b/example/src/main/java/eu/webeid/example/security/dto/AuthTokenDTO.java
index a2f4b01..c0f4cd2 100644
--- a/example/src/main/java/eu/webeid/example/security/dto/AuthTokenDTO.java
+++ b/example/src/main/java/eu/webeid/example/security/dto/AuthTokenDTO.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) 2020-2023 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/service/SigningService.java b/example/src/main/java/eu/webeid/example/service/SigningService.java
index 80e7fc6..a219e4e 100644
--- a/example/src/main/java/eu/webeid/example/service/SigningService.java
+++ b/example/src/main/java/eu/webeid/example/service/SigningService.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020, 2021 The Web eID Project
+ * Copyright (c) 2020-2023 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/service/dto/CertificateDTO.java b/example/src/main/java/eu/webeid/example/service/dto/CertificateDTO.java
index 4d80dde..cc0c103 100644
--- a/example/src/main/java/eu/webeid/example/service/dto/CertificateDTO.java
+++ b/example/src/main/java/eu/webeid/example/service/dto/CertificateDTO.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) 2020-2023 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/service/dto/ChallengeDTO.java b/example/src/main/java/eu/webeid/example/service/dto/ChallengeDTO.java
index 872a260..a882db2 100644
--- a/example/src/main/java/eu/webeid/example/service/dto/ChallengeDTO.java
+++ b/example/src/main/java/eu/webeid/example/service/dto/ChallengeDTO.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) 2020-2023 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/service/dto/DigestDTO.java b/example/src/main/java/eu/webeid/example/service/dto/DigestDTO.java
index 1b05dba..483a71b 100644
--- a/example/src/main/java/eu/webeid/example/service/dto/DigestDTO.java
+++ b/example/src/main/java/eu/webeid/example/service/dto/DigestDTO.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) 2020-2023 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/service/dto/FileDTO.java b/example/src/main/java/eu/webeid/example/service/dto/FileDTO.java
index 47a2bcf..af2e24e 100644
--- a/example/src/main/java/eu/webeid/example/service/dto/FileDTO.java
+++ b/example/src/main/java/eu/webeid/example/service/dto/FileDTO.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) 2020-2023 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/service/dto/SignatureAlgorithmDTO.java b/example/src/main/java/eu/webeid/example/service/dto/SignatureAlgorithmDTO.java
index 142e393..4ee0a5a 100644
--- a/example/src/main/java/eu/webeid/example/service/dto/SignatureAlgorithmDTO.java
+++ b/example/src/main/java/eu/webeid/example/service/dto/SignatureAlgorithmDTO.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) 2020-2023 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/service/dto/SignatureDTO.java b/example/src/main/java/eu/webeid/example/service/dto/SignatureDTO.java
index c3df702..5a416cc 100644
--- a/example/src/main/java/eu/webeid/example/service/dto/SignatureDTO.java
+++ b/example/src/main/java/eu/webeid/example/service/dto/SignatureDTO.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) 2020-2023 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/web/WelcomeController.java b/example/src/main/java/eu/webeid/example/web/WelcomeController.java
index 22befa9..dcd09da 100644
--- a/example/src/main/java/eu/webeid/example/web/WelcomeController.java
+++ b/example/src/main/java/eu/webeid/example/web/WelcomeController.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) 2020-2023 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/web/rest/ChallengeController.java b/example/src/main/java/eu/webeid/example/web/rest/ChallengeController.java
index 01eec9d..a81aa68 100644
--- a/example/src/main/java/eu/webeid/example/web/rest/ChallengeController.java
+++ b/example/src/main/java/eu/webeid/example/web/rest/ChallengeController.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) 2020-2023 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/web/rest/SigningController.java b/example/src/main/java/eu/webeid/example/web/rest/SigningController.java
index 840cde8..abdda22 100644
--- a/example/src/main/java/eu/webeid/example/web/rest/SigningController.java
+++ b/example/src/main/java/eu/webeid/example/web/rest/SigningController.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020, 2021 The Web eID Project
+ * Copyright (c) 2020-2023 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/resources/static/js/errors.js b/example/src/main/resources/static/js/errors.js
index 7bc8c92..1665e6d 100644
--- a/example/src/main/resources/static/js/errors.js
+++ b/example/src/main/resources/static/js/errors.js
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) 2020-2023 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/resources/static/js/web-eid.js b/example/src/main/resources/static/js/web-eid.js
index ee9b770..0fd4f07 100644
--- a/example/src/main/resources/static/js/web-eid.js
+++ b/example/src/main/resources/static/js/web-eid.js
@@ -1,7 +1,7 @@
 /**
  * MIT License
  *
- * Copyright (c) 2020-2022 Estonian Information System Authority
+ * Copyright (c) 2020-2023 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/test/java/eu/webeid/example/AuthenticationRestControllerTest.java b/example/src/test/java/eu/webeid/example/AuthenticationRestControllerTest.java
index 74bf6b5..fcd4214 100644
--- a/example/src/test/java/eu/webeid/example/AuthenticationRestControllerTest.java
+++ b/example/src/test/java/eu/webeid/example/AuthenticationRestControllerTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) 2020-2023 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/test/java/eu/webeid/example/DateMockingTest.java b/example/src/test/java/eu/webeid/example/DateMockingTest.java
index 75513a9..6d96ba6 100644
--- a/example/src/test/java/eu/webeid/example/DateMockingTest.java
+++ b/example/src/test/java/eu/webeid/example/DateMockingTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) 2020-2023 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/test/java/eu/webeid/example/WebApplicationTest.java b/example/src/test/java/eu/webeid/example/WebApplicationTest.java
index f4e51ac..4295915 100644
--- a/example/src/test/java/eu/webeid/example/WebApplicationTest.java
+++ b/example/src/test/java/eu/webeid/example/WebApplicationTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020, 2021 The Web eID Project
+ * Copyright (c) 2020-2023 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/test/java/eu/webeid/example/testutil/Dates.java b/example/src/test/java/eu/webeid/example/testutil/Dates.java
index 152a9ff..23e367c 100644
--- a/example/src/test/java/eu/webeid/example/testutil/Dates.java
+++ b/example/src/test/java/eu/webeid/example/testutil/Dates.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) 2020-2023 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/test/java/eu/webeid/example/testutil/HttpHelper.java b/example/src/test/java/eu/webeid/example/testutil/HttpHelper.java
index a45c74c..2a548df 100644
--- a/example/src/test/java/eu/webeid/example/testutil/HttpHelper.java
+++ b/example/src/test/java/eu/webeid/example/testutil/HttpHelper.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) 2020-2023 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java b/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java
index 5d4b081..2b07576 100644
--- a/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java
+++ b/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 The Web eID Project
+ * Copyright (c) 2020-2023 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal

From c435c0f3cf875c02917a21daf78769022d03ebc4 Mon Sep 17 00:00:00 2001
From: Kristel Merilain <kristel.merilain@ria.ee>
Date: Wed, 1 Mar 2023 11:39:46 +0200
Subject: [PATCH 068/116] Remove bionic support (#22)

IB-7398

Signed-off-by: Kristel Merilain <kristel.merilain@ria.ee>
---
 .../scripts/download-install-web-eid.sh       | 30 +++++++------------
 1 file changed, 10 insertions(+), 20 deletions(-)

diff --git a/example/src/main/resources/static/scripts/download-install-web-eid.sh b/example/src/main/resources/static/scripts/download-install-web-eid.sh
index 9eb1148..32e23de 100755
--- a/example/src/main/resources/static/scripts/download-install-web-eid.sh
+++ b/example/src/main/resources/static/scripts/download-install-web-eid.sh
@@ -59,7 +59,6 @@ test_root
 test_sudo
 
 # version   name    LTS   supported until
-# 18.04     bionic  LTS   2023-04
 # 20.04     focal   LTS   2025-04
 # 22.04     jammy   LTS   2027-04
 # 22.10     kinetic   -   2023-07
@@ -75,11 +74,6 @@ case $distro in
    debian)
       make_warn "Debian is not officially supported"
       case "$codename" in
-        buster)
-          make_warn "Debian $codename is not officially supported"
-          make_warn "Installing from ubuntu-bionic repository"
-          make_install '18.04'
-          ;;
         bullseye)
           make_warn "Debian $codename is not officially supported"
           make_warn "Installing from ubuntu-focal repository"
@@ -96,10 +90,10 @@ case $distro in
          *) ;;
       esac
       case $codename in
-        utopic|vivid|wily|trusty|artful|cosmic|disco|xenial|eoan|groovy|hirsute|impish)
+        utopic|vivid|wily|trusty|artful|cosmic|disco|xenial|eoan|groovy|hirsute|impish|bionic)
           make_fail "Ubuntu $codename is not officially supported"
           ;;
-        bionic|focal|jammy|kinetic)
+        focal|jammy|kinetic)
           make_install $release
           ;;
         *)
@@ -112,27 +106,23 @@ case $distro in
    linuxmint)
       case $release in
         21*)
-          make_warn "Linuxmint 21 is not officially supported"
+          make_warn "Linux Mint 21 is not officially supported"
           make_install '22.04'
           ;;
         20*)
-          make_warn "Linuxmint 20 is not officially supported"
+          make_warn "Linux Mint 20 is not officially supported"
           make_install '20.04'
           ;;
-        19*)
-          make_warn "LinuxMint 19 is not officially supported"
-          make_install '18.04'
-          ;;
         *)
-          make_fail "LinuxMint $release is not officially supported"
+          make_fail "Linux Mint $release is not officially supported"
           ;;
       esac
       ;;
    elementary*os|elementary)
       case $release in
-        5.*)
-          make_warn "Elementary OS 5 is not officially supported"
-          make_install '18.04'
+        7*)
+          make_warn "Elementary OS 7 is not officially supported"
+          make_install '22.04'
           ;;
         *)
           make_fail "Elementary OS $release is not officially supported"
@@ -141,10 +131,10 @@ case $distro in
       ;;
    pop)
       case $codename in
-        artful|cosmic|disco|eoan)
+        artful|cosmic|disco|eoan|bionic)
           make_fail "Pop!_OS $codename is not officially supported"
           ;;
-        bionic|focal)
+        focal)
           make_warn "Pop!_OS $codename is not officially supported"
           make_install $release
           ;;

From abf97d06d97019a4c88b43ae5c97e4a241fca3c0 Mon Sep 17 00:00:00 2001
From: Kristel Merilain <kristel.merilain@ria.ee>
Date: Wed, 19 Apr 2023 13:47:33 +0300
Subject: [PATCH 069/116] Update Ubuntu package version and add bookworm
 support

---
 .../static/scripts/download-install-web-eid.sh        | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/example/src/main/resources/static/scripts/download-install-web-eid.sh b/example/src/main/resources/static/scripts/download-install-web-eid.sh
index 32e23de..3598b9c 100755
--- a/example/src/main/resources/static/scripts/download-install-web-eid.sh
+++ b/example/src/main/resources/static/scripts/download-install-web-eid.sh
@@ -34,9 +34,9 @@ make_install() {
   echo "Installing Web eID packages for Ubuntu $1"
   TMPDIR=`mktemp -d`
   cd $TMPDIR
-  VERSION='2.2.0'
+  VERSION='2.3.0'
   # BUILD=`[[ $1 == *0 ]] && echo 555 || echo 552`
-  BUILD='572'
+  BUILD='619'
   UBUNTU_VERSION=${1//./}
   wget "https://installer.id.ee/media/web-eid/Ubuntu/web-eid_${VERSION}.${BUILD}-${UBUNTU_VERSION}_all.deb"
   wget "https://installer.id.ee/media/web-eid/Ubuntu/web-eid-chrome_${VERSION}.${BUILD}-${UBUNTU_VERSION}_all.deb"
@@ -79,6 +79,11 @@ case $distro in
           make_warn "Installing from ubuntu-focal repository"
           make_install '20.04'
           ;;
+        bookworm)
+          make_warn "Debian $codename is not officially supported"
+          make_warn "Installing from ubuntu-kinetic repository"
+          make_install '22.10'
+          ;;
         *)
           make_fail "Debian $codename is not officially supported"
           ;;
@@ -134,7 +139,7 @@ case $distro in
         artful|cosmic|disco|eoan|bionic)
           make_fail "Pop!_OS $codename is not officially supported"
           ;;
-        focal)
+        focal|jammy)
           make_warn "Pop!_OS $codename is not officially supported"
           make_install $release
           ;;

From acf1abb5de7334dd04d81215821a95c7974eee0d Mon Sep 17 00:00:00 2001
From: Kristel Merilain <kristel.merilain@ria.ee>
Date: Thu, 27 Apr 2023 06:43:28 +0300
Subject: [PATCH 070/116] Update copyright year (#24)

---
 example/LICENSE | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/example/LICENSE b/example/LICENSE
index 1d8f1fd..326ac32 100644
--- a/example/LICENSE
+++ b/example/LICENSE
@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2020-2022 Estonian Information System Authority
+Copyright (c) 2020-2023 Estonian Information System Authority
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

From 6a5760d30bc034b3cb47de960df0a31285cf9029 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 14 Jun 2023 22:51:18 +0000
Subject: [PATCH 071/116] build(deps): bump guava from 31.1-jre to 32.0.0-jre

Bumps [guava](https://github.com/google/guava) from 31.1-jre to 32.0.0-jre.
- [Release notes](https://github.com/google/guava/releases)
- [Commits](https://github.com/google/guava/commits)

---
updated-dependencies:
- dependency-name: com.google.guava:guava
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 example/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/example/pom.xml b/example/pom.xml
index f16f38c..72ad448 100644
--- a/example/pom.xml
+++ b/example/pom.xml
@@ -22,7 +22,7 @@
 		<caffeine.version>2.8.5</caffeine.version>
 		<webeid.version>2.1.1</webeid.version>
 		<digidoc4j.version>4.3.0</digidoc4j.version>
-		<guava.version>31.1-jre</guava.version>
+		<guava.version>32.0.0-jre</guava.version>
 		<okhttp.version>4.10.0</okhttp.version>
 		<jmockit.version>1.44</jmockit.version>
 	</properties>

From 511e25451ed33cf016bdb269df56715a0122091f Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Tue, 11 Jul 2023 20:09:30 +0300
Subject: [PATCH 072/116] release: Web eID release v2.3.0/1

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 example/pom.xml                                 | 14 ++++----------
 example/src/main/resources/templates/index.html |  8 ++++----
 2 files changed, 8 insertions(+), 14 deletions(-)

diff --git a/example/pom.xml b/example/pom.xml
index 72ad448..bfc8093 100644
--- a/example/pom.xml
+++ b/example/pom.xml
@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>2.7.7</version>
+		<version>2.7.13</version>
 		<relativePath/> <!-- lookup parent from repository -->
 	</parent>
 	<groupId>org.webeid.example</groupId>
@@ -20,9 +20,9 @@
 		<java.version>1.8</java.version>
 		<maven-surefire-plugin.version>2.22.1</maven-surefire-plugin.version>
 		<caffeine.version>2.8.5</caffeine.version>
-		<webeid.version>2.1.1</webeid.version>
+		<webeid.version>2.1.2</webeid.version>
 		<digidoc4j.version>4.3.0</digidoc4j.version>
-		<guava.version>32.0.0-jre</guava.version>
+		<guava.version>32.0.1-jre</guava.version>
 		<okhttp.version>4.10.0</okhttp.version>
 		<jmockit.version>1.44</jmockit.version>
 	</properties>
@@ -143,14 +143,8 @@
 		<repository>
 			<id>gitlab</id>
 			<url>https://gitlab.com/api/v4/projects/19948337/packages/maven</url>
-			<releases>
-				<enabled>true</enabled>
-			</releases>
-			<snapshots>
-				<enabled>true</enabled>
-			</snapshots>
 			<!-- Github Packages does not currently support public access, so disabled until it does.
-			     See https://github.community/t/download-from-github-package-registry-without-authentication/14407
+			     See https://github.com/orgs/community/discussions/26634
 			<id>github</id>
 			<url>https://maven.pkg.github.com/web-eid/web-eid-authtoken-validation-java</url>
 			-->
diff --git a/example/src/main/resources/templates/index.html b/example/src/main/resources/templates/index.html
index 2f45906..e126508 100644
--- a/example/src/main/resources/templates/index.html
+++ b/example/src/main/resources/templates/index.html
@@ -66,16 +66,16 @@ <h3><a id="usage"></a>Usage</h3>
                             Firefox in Ubuntu 22.04+. Instructions how to do that are available <a
                                     href="https://www.omgubuntu.co.uk/2022/04/how-to-install-firefox-deb-apt-ubuntu-22-04">here</a>.
                         </li>
-                        <li>on <b>macOS</b> 10.15 or later, for Firefox and Chrome from <a
-                                href="https://installer.id.ee/media/web-eid/web-eid_2.2.0.572.dmg">here</a>,
+                        <li>on <b>macOS</b> 11 or later, for Firefox and Chrome from <a
+                                href="https://installer.id.ee/media/web-eid/web-eid_2.3.0.619.dmg">here</a>,
                         </li>
-                        <li>on <b>macOS</b> 10.15 or later, for Safari, install the extension from <a
+                        <li>on <b>macOS</b> 11 or later, for Safari, install the extension from <a
                                 href="https://apps.apple.com/ee/app/web-eid/id1576665083?mt=12">App Store</a>,
                         </li>
                         <li>on <b>Windows</b> 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server
                             2022,
                             for Firefox, Chrome and Edge from <a
-                                    href="https://installer.id.ee/media/web-eid/web-eid_2.2.0.572.x64.exe">here</a>.
+                                    href="https://installer.id.ee/media/web-eid/web-eid_2.3.1.634.x64.exe">here</a>.
                         </li>
                     </ul>
                 </li>

From 934145e53b0347ece21b516502d7745b89084a44 Mon Sep 17 00:00:00 2001
From: Raul Metsma <raul@metsma.ee>
Date: Fri, 28 Jul 2023 22:29:35 +0300
Subject: [PATCH 073/116] Update download-install-web-eid.sh

Add lunar to supported list
---
 .../resources/static/scripts/download-install-web-eid.sh   | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/example/src/main/resources/static/scripts/download-install-web-eid.sh b/example/src/main/resources/static/scripts/download-install-web-eid.sh
index 3598b9c..d7dc1a7 100755
--- a/example/src/main/resources/static/scripts/download-install-web-eid.sh
+++ b/example/src/main/resources/static/scripts/download-install-web-eid.sh
@@ -62,8 +62,9 @@ test_sudo
 # 20.04     focal   LTS   2025-04
 # 22.04     jammy   LTS   2027-04
 # 22.10     kinetic   -   2023-07
-LATEST_SUPPORTED_UBUNTU_CODENAME='kinetic'
-LATEST_SUPPORTED_UBUNTU_VERSION='22.10'
+# 23.04     lunar   -     2024-01
+LATEST_SUPPORTED_UBUNTU_CODENAME='lunar'
+LATEST_SUPPORTED_UBUNTU_VERSION='23.04'
 
 # Check the distro and release.
 distro=$(lsb_release -is | tr '[:upper:]' '[:lower:]')
@@ -98,7 +99,7 @@ case $distro in
         utopic|vivid|wily|trusty|artful|cosmic|disco|xenial|eoan|groovy|hirsute|impish|bionic)
           make_fail "Ubuntu $codename is not officially supported"
           ;;
-        focal|jammy|kinetic)
+        focal|jammy|kinetic|lunar)
           make_install $release
           ;;
         *)

From 1eb3ba233b4bb762fc080b064bfbffddf39eca3c Mon Sep 17 00:00:00 2001
From: Kristel Merilain <kristel.merilain@ria.ee>
Date: Fri, 4 Aug 2023 13:54:38 +0300
Subject: [PATCH 074/116] Update Ubuntu package version (#28)

WE2-809

Signed-off-by: Kristel Merilain <kristel.merilain@ria.ee>
---
 .../main/resources/static/scripts/download-install-web-eid.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/example/src/main/resources/static/scripts/download-install-web-eid.sh b/example/src/main/resources/static/scripts/download-install-web-eid.sh
index d7dc1a7..efbfd0a 100755
--- a/example/src/main/resources/static/scripts/download-install-web-eid.sh
+++ b/example/src/main/resources/static/scripts/download-install-web-eid.sh
@@ -34,9 +34,9 @@ make_install() {
   echo "Installing Web eID packages for Ubuntu $1"
   TMPDIR=`mktemp -d`
   cd $TMPDIR
-  VERSION='2.3.0'
+  VERSION='2.4.0'
   # BUILD=`[[ $1 == *0 ]] && echo 555 || echo 552`
-  BUILD='619'
+  BUILD='639'
   UBUNTU_VERSION=${1//./}
   wget "https://installer.id.ee/media/web-eid/Ubuntu/web-eid_${VERSION}.${BUILD}-${UBUNTU_VERSION}_all.deb"
   wget "https://installer.id.ee/media/web-eid/Ubuntu/web-eid-chrome_${VERSION}.${BUILD}-${UBUNTU_VERSION}_all.deb"

From 62933e1e89257c538778d77a6226dac7d540c0f0 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Mon, 7 Aug 2023 17:36:22 +0300
Subject: [PATCH 075/116] deps: update to Java 11 and
 web-eid-authtoken-validation v3, get rid of Guava and OkHttp

---
 example/.github/workflows/maven-build.yml     | 13 ++++++-----
 example/docker-compose.yml                    |  2 +-
 example/pom.xml                               | 22 ++++---------------
 .../SessionBackedChallengeNonceStore.java     |  2 --
 .../example/service/SigningService.java       | 20 ++++++++++++-----
 .../src/main/resources/static/js/web-eid.js   |  4 ++--
 .../src/main/resources/templates/index.html   |  4 ++--
 7 files changed, 30 insertions(+), 37 deletions(-)

diff --git a/example/.github/workflows/maven-build.yml b/example/.github/workflows/maven-build.yml
index be61680..7b3120c 100644
--- a/example/.github/workflows/maven-build.yml
+++ b/example/.github/workflows/maven-build.yml
@@ -7,18 +7,19 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
-      - uses: actions/setup-java@v1
+      - uses: actions/setup-java@v3
         with:
-          java-version: 1.8
+          distribution: zulu
+          java-version: 11
 
       - name: Cache Maven packages
-        uses: actions/cache@v1
+        uses: actions/cache@v3
         with:
           path: ~/.m2
-          key: ${{ runner.os }}-m2-v8-${{ secrets.CACHE_VERSION }}-${{ hashFiles('**/pom.xml') }}
-          restore-keys: ${{ runner.os }}-m2-v8-${{ secrets.CACHE_VERSION }}
+          key: ${{ runner.os }}-m2-v11-${{ secrets.CACHE_VERSION }}-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ${{ runner.os }}-m2-v11-${{ secrets.CACHE_VERSION }}
 
       - name: Build
         run: mvn --batch-mode compile
diff --git a/example/docker-compose.yml b/example/docker-compose.yml
index c7231bf..bae7f83 100644
--- a/example/docker-compose.yml
+++ b/example/docker-compose.yml
@@ -1,7 +1,7 @@
 version: '2'
 services:
   web-eid-springboot-example:
-    image: web-eid-springboot-example:2.0.0-SNAPSHOT
+    image: web-eid-springboot-example:3.0.0-SNAPSHOT
     restart: always
     environment:
       JAVA_TOOL_OPTIONS: '-Dspring.profiles.active=prod'
diff --git a/example/pom.xml b/example/pom.xml
index bfc8093..635e01c 100644
--- a/example/pom.xml
+++ b/example/pom.xml
@@ -5,25 +5,22 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>2.7.13</version>
+		<version>2.7.14</version>
 		<relativePath/> <!-- lookup parent from repository -->
 	</parent>
 	<groupId>org.webeid.example</groupId>
 	<artifactId>web-eid-springboot-example</artifactId>
-	<version>2.0.0-SNAPSHOT</version>
+	<version>3.0.0-SNAPSHOT</version>
 	<name>web-eid-springboot-example</name>
 	<description>Example Spring Boot project that demonstrates how to use Web eID for authentication and digital
 		signing
 	</description>
 
 	<properties>
-		<java.version>1.8</java.version>
+		<java.version>11</java.version>
 		<maven-surefire-plugin.version>2.22.1</maven-surefire-plugin.version>
-		<caffeine.version>2.8.5</caffeine.version>
-		<webeid.version>2.1.2</webeid.version>
+		<webeid.version>3.0.0</webeid.version>
 		<digidoc4j.version>4.3.0</digidoc4j.version>
-		<guava.version>32.0.1-jre</guava.version>
-		<okhttp.version>4.10.0</okhttp.version>
 		<jmockit.version>1.44</jmockit.version>
 	</properties>
 
@@ -49,17 +46,6 @@
 			<artifactId>spring-security-config</artifactId>
 		</dependency>
 
-		<dependency>
-			<groupId>com.google.guava</groupId>
-			<artifactId>guava</artifactId>
-			<version>${guava.version}</version>
-		</dependency>
-		<dependency>
-			<groupId>com.squareup.okhttp3</groupId>
-			<artifactId>okhttp</artifactId>
-			<version>${okhttp.version}</version>
-		</dependency>
-
 		<dependency>
 			<groupId>org.digidoc4j</groupId>
 			<artifactId>digidoc4j</artifactId>
diff --git a/example/src/main/java/eu/webeid/example/config/SessionBackedChallengeNonceStore.java b/example/src/main/java/eu/webeid/example/config/SessionBackedChallengeNonceStore.java
index 054c93c..00e0b9f 100644
--- a/example/src/main/java/eu/webeid/example/config/SessionBackedChallengeNonceStore.java
+++ b/example/src/main/java/eu/webeid/example/config/SessionBackedChallengeNonceStore.java
@@ -22,7 +22,6 @@
 
 package eu.webeid.example.config;
 
-import org.jetbrains.annotations.NotNull;
 import org.springframework.beans.factory.ObjectFactory;
 import eu.webeid.security.challenge.ChallengeNonce;
 import eu.webeid.security.challenge.ChallengeNonceStore;
@@ -51,7 +50,6 @@ public ChallengeNonce getAndRemoveImpl() {
         return challengeNonce;
     }
 
-    @NotNull
     private HttpSession currentSession() {
         return httpSessionFactory.getObject();
     }
diff --git a/example/src/main/java/eu/webeid/example/service/SigningService.java b/example/src/main/java/eu/webeid/example/service/SigningService.java
index a219e4e..aa5fba8 100644
--- a/example/src/main/java/eu/webeid/example/service/SigningService.java
+++ b/example/src/main/java/eu/webeid/example/service/SigningService.java
@@ -22,27 +22,33 @@
 
 package eu.webeid.example.service;
 
-import com.google.common.io.ByteStreams;
 import eu.webeid.example.config.YAMLConfig;
 import eu.webeid.example.security.WebEidAuthentication;
 import eu.webeid.example.service.dto.CertificateDTO;
 import eu.webeid.example.service.dto.DigestDTO;
 import eu.webeid.example.service.dto.FileDTO;
 import eu.webeid.example.service.dto.SignatureDTO;
+import eu.webeid.security.certificate.CertificateData;
 import org.apache.commons.io.FilenameUtils;
-import org.digidoc4j.*;
+import org.digidoc4j.Configuration;
+import org.digidoc4j.Container;
+import org.digidoc4j.ContainerBuilder;
+import org.digidoc4j.DataFile;
+import org.digidoc4j.DataToSign;
+import org.digidoc4j.Signature;
+import org.digidoc4j.SignatureBuilder;
+import org.digidoc4j.SignatureProfile;
 import org.digidoc4j.utils.TokenAlgorithmSupport;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.ObjectFactory;
 import org.springframework.core.io.ByteArrayResource;
 import org.springframework.stereotype.Service;
-import eu.webeid.example.web.rest.SigningController;
-import eu.webeid.security.certificate.CertificateData;
 
 import javax.servlet.http.HttpSession;
 import javax.xml.bind.DatatypeConverter;
 import java.io.IOException;
+import java.io.InputStream;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
@@ -55,7 +61,7 @@ public class SigningService {
     private static final String SESSION_ATTR_FILE = "file-to-sign";
     private static final String SESSION_ATTR_CONTAINER = "container-to-sign";
     private static final String SESSION_ATTR_DATA = "data-to-sign";
-    private static final Logger LOG = LoggerFactory.getLogger(SigningController.class);
+    private static final Logger LOG = LoggerFactory.getLogger(SigningService.class);
     private final Configuration signingConfiguration;
 
     ObjectFactory<HttpSession> httpSessionFactory;
@@ -145,7 +151,9 @@ public String getContainerName() {
 
     public ByteArrayResource getSignedContainerAsResource() throws IOException {
         Container signedContainer = (Container) Objects.requireNonNull(currentSession().getAttribute(SESSION_ATTR_CONTAINER));
-        return new ByteArrayResource(ByteStreams.toByteArray(signedContainer.saveAsStream()));
+        try (final InputStream stream = signedContainer.saveAsStream()) {
+            return new ByteArrayResource(stream.readAllBytes());
+        }
     }
 
     private Container getContainerToSign(FileDTO fileDTO) {
diff --git a/example/src/main/resources/static/js/web-eid.js b/example/src/main/resources/static/js/web-eid.js
index 0fd4f07..520fa88 100644
--- a/example/src/main/resources/static/js/web-eid.js
+++ b/example/src/main/resources/static/js/web-eid.js
@@ -104,7 +104,7 @@ class ExtensionUnavailableError extends Error {
 }
 
 var config = Object.freeze({
-    VERSION: "2.0.1",
+    VERSION: "2.0.2",
     EXTENSION_HANDSHAKE_TIMEOUT: 1000,
     NATIVE_APP_HANDSHAKE_TIMEOUT: 5 * 1000,
     DEFAULT_USER_INTERACTION_TIMEOUT: 2 * 60 * 1000,
@@ -243,7 +243,7 @@ class WebExtensionService {
             (_d = message.warnings) === null || _d === void 0 ? void 0 : _d.forEach((warning) => {
                 if (!this.loggedWarnings.includes(warning)) {
                     this.loggedWarnings.push(warning);
-                    console.warn(warning);
+                    console.warn(warning.replace(/\n|\r/g, ""));
                 }
             });
         }
diff --git a/example/src/main/resources/templates/index.html b/example/src/main/resources/templates/index.html
index e126508..429b6b3 100644
--- a/example/src/main/resources/templates/index.html
+++ b/example/src/main/resources/templates/index.html
@@ -67,7 +67,7 @@ <h3><a id="usage"></a>Usage</h3>
                                     href="https://www.omgubuntu.co.uk/2022/04/how-to-install-firefox-deb-apt-ubuntu-22-04">here</a>.
                         </li>
                         <li>on <b>macOS</b> 11 or later, for Firefox and Chrome from <a
-                                href="https://installer.id.ee/media/web-eid/web-eid_2.3.0.619.dmg">here</a>,
+                                href="https://installer.id.ee/media/web-eid/web-eid_2.4.0.639.dmg">here</a>,
                         </li>
                         <li>on <b>macOS</b> 11 or later, for Safari, install the extension from <a
                                 href="https://apps.apple.com/ee/app/web-eid/id1576665083?mt=12">App Store</a>,
@@ -75,7 +75,7 @@ <h3><a id="usage"></a>Usage</h3>
                         <li>on <b>Windows</b> 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server
                             2022,
                             for Firefox, Chrome and Edge from <a
-                                    href="https://installer.id.ee/media/web-eid/web-eid_2.3.1.634.x64.exe">here</a>.
+                                    href="https://installer.id.ee/media/web-eid/web-eid_2.4.0.639.x64.exe">here</a>.
                         </li>
                     </ul>
                 </li>

From 6ce5720b2f9baf84b9d6ab3965bc773a232b762e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mart=20S=C3=B5mermaa?= <mrts@users.noreply.github.com>
Date: Thu, 24 Aug 2023 23:57:59 +0300
Subject: [PATCH 076/116] deps: update DigiDoc4j to v5.1.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Mart Sõmermaa <mrts@users.noreply.github.com>
---
 example/pom.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/example/pom.xml b/example/pom.xml
index 635e01c..2047739 100644
--- a/example/pom.xml
+++ b/example/pom.xml
@@ -20,7 +20,7 @@
 		<java.version>11</java.version>
 		<maven-surefire-plugin.version>2.22.1</maven-surefire-plugin.version>
 		<webeid.version>3.0.0</webeid.version>
-		<digidoc4j.version>4.3.0</digidoc4j.version>
+		<digidoc4j.version>5.1.0</digidoc4j.version>
 		<jmockit.version>1.44</jmockit.version>
 	</properties>
 
@@ -129,7 +129,7 @@
 		<repository>
 			<id>gitlab</id>
 			<url>https://gitlab.com/api/v4/projects/19948337/packages/maven</url>
-			<!-- Github Packages does not currently support public access, so disabled until it does.
+			<!-- GitHub Packages does not currently support public access, so disabled until it does.
 			     See https://github.com/orgs/community/discussions/26634
 			<id>github</id>
 			<url>https://maven.pkg.github.com/web-eid/web-eid-authtoken-validation-java</url>

From 627d4485ccfb75eb7e94d1e25532c2a8ffaeb205 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mart=20S=C3=B5mermaa?= <mrts@users.noreply.github.com>
Date: Thu, 24 Aug 2023 23:59:16 +0300
Subject: [PATCH 077/116] refactor: use ZonedDateTime in tests instead of Date
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Mart Sõmermaa <mrts@users.noreply.github.com>
---
 .../java/eu/webeid/example/DateMockingTest.java  | 12 ++++++------
 .../eu/webeid/example/WebApplicationTest.java    |  2 +-
 .../java/eu/webeid/example/testutil/Dates.java   | 16 +++++++---------
 3 files changed, 14 insertions(+), 16 deletions(-)

diff --git a/example/src/test/java/eu/webeid/example/DateMockingTest.java b/example/src/test/java/eu/webeid/example/DateMockingTest.java
index 6d96ba6..6c1c345 100644
--- a/example/src/test/java/eu/webeid/example/DateMockingTest.java
+++ b/example/src/test/java/eu/webeid/example/DateMockingTest.java
@@ -25,20 +25,20 @@
 import eu.webeid.example.testutil.Dates;
 import org.junit.jupiter.api.Test;
 
-import java.text.ParseException;
-import java.util.Date;
+import java.time.ZonedDateTime;
 
+import static eu.webeid.example.testutil.Dates.getSigningDateTime;
 import static org.assertj.core.api.Assertions.assertThat;
 
 public class DateMockingTest {
 
     @Test
-    void testDateMocking() throws ParseException {
-        final Date date = Dates.create("2020-04-14T13:36:49Z");
-        Dates.setMockedDate(date);
+    void testDateMocking() {
+        final ZonedDateTime signingDateTime = getSigningDateTime();
+        Dates.setMockedDate(signingDateTime);
 
         // Mocking native methods is unreliable, see https://github.com/jmockit/jmockit1/issues/689#issuecomment-702965484
-        assertThat(System.currentTimeMillis()).isEqualTo(date.getTime());
+        assertThat(System.currentTimeMillis()).isEqualTo(signingDateTime.toInstant().toEpochMilli());
     }
 
 }
diff --git a/example/src/test/java/eu/webeid/example/WebApplicationTest.java b/example/src/test/java/eu/webeid/example/WebApplicationTest.java
index 4295915..4ab07ac 100644
--- a/example/src/test/java/eu/webeid/example/WebApplicationTest.java
+++ b/example/src/test/java/eu/webeid/example/WebApplicationTest.java
@@ -101,7 +101,7 @@ public void validateOcspResponse(XadesSignature xadesSignature) {
         final MockHttpSession session = new MockHttpSession();
         session.setAttribute("challenge-nonce", new ChallengeNonce(ObjectMother.VALID_CHALLENGE_NONCE, DateAndTime.utcNow().plusMinutes(1)));
 
-        Dates.setMockedDate(Dates.create("2020-04-14T13:36:49Z"));
+        Dates.setMockedDate(Dates.getSigningDateTime());
 
         // Act and assert
         mvcBuilder.build().perform(get("/auth/challenge"));
diff --git a/example/src/test/java/eu/webeid/example/testutil/Dates.java b/example/src/test/java/eu/webeid/example/testutil/Dates.java
index 23e367c..f8b8b1f 100644
--- a/example/src/test/java/eu/webeid/example/testutil/Dates.java
+++ b/example/src/test/java/eu/webeid/example/testutil/Dates.java
@@ -22,27 +22,25 @@
 
 package eu.webeid.example.testutil;
 
-import com.fasterxml.jackson.databind.util.StdDateFormat;
 import mockit.Mock;
 import mockit.MockUp;
 
-import java.text.ParseException;
-import java.util.Date;
+import java.time.ZoneId;
+import java.time.ZonedDateTime;
 
 public final class Dates {
-    private static final StdDateFormat STD_DATE_FORMAT = new StdDateFormat();
 
-    public static Date create(String iso8601Date) throws ParseException {
-        return STD_DATE_FORMAT.parse(iso8601Date);
+    public static ZonedDateTime getSigningDateTime() {
+        return ZonedDateTime.of(2020, 4, 14, 13, 36, 49, 0,
+                ZoneId.of("Europe/Tallinn"));
     }
 
-    public static void setMockedDate(Date mockedDate) {
+    public static void setMockedDate(ZonedDateTime mockedDateTime) {
         new MockUp<System>() {
             @Mock
             public long currentTimeMillis() {
-                return mockedDate.getTime();
+                return mockedDateTime.toInstant().toEpochMilli();
             }
         };
     }
-
 }

From 048d3ba485243f577130fe38690f41c252343194 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mart=20S=C3=B5mermaa?= <mrts@users.noreply.github.com>
Date: Fri, 25 Aug 2023 00:06:26 +0300
Subject: [PATCH 078/116] refactor: better signature digest algorithm handling
 and name validation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Mart Sõmermaa <mrts@users.noreply.github.com>
---
 .../webeid/example/service/SigningService.java | 18 ++++++++++++------
 .../webeid/example/testutil/ObjectMother.java  |  5 +++++
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/example/src/main/java/eu/webeid/example/service/SigningService.java b/example/src/main/java/eu/webeid/example/service/SigningService.java
index aa5fba8..410c921 100644
--- a/example/src/main/java/eu/webeid/example/service/SigningService.java
+++ b/example/src/main/java/eu/webeid/example/service/SigningService.java
@@ -35,6 +35,7 @@
 import org.digidoc4j.ContainerBuilder;
 import org.digidoc4j.DataFile;
 import org.digidoc4j.DataToSign;
+import org.digidoc4j.DigestAlgorithm;
 import org.digidoc4j.Signature;
 import org.digidoc4j.SignatureBuilder;
 import org.digidoc4j.SignatureProfile;
@@ -101,25 +102,30 @@ public DigestDTO prepareContainer(CertificateDTO certificateDTO, WebEidAuthentic
 
         LOG.info("Preparing container for signing for file '{}'", containerName);
 
+        final DigestAlgorithm signatureDigestAlgorithm = TokenAlgorithmSupport.determineSignatureDigestAlgorithm(certificate);
+        final String digestAlgorithmName = signatureDigestAlgorithm.uri().getRef().toUpperCase();
+        if (!certificateDTO.getSupportedAlgorithmNames().contains(digestAlgorithmName)) {
+            throw new IllegalArgumentException("Determined signature digest algorithm '" + digestAlgorithmName +
+                    "' is not supported. Supported algorithms are: " + String.join(", ", certificateDTO.getSupportedAlgorithmNames()));
+        }
+
         DataToSign dataToSign = SignatureBuilder
                 .aSignature(containerToSign)
                 .withSignatureProfile(SignatureProfile.LT) // AIA OCSP is supported for signatures with LT or LTA profile.
                 .withSigningCertificate(certificate)
-                .withSignatureDigestAlgorithm(TokenAlgorithmSupport.determineSignatureDigestAlgorithm(certificate))
+                .withSignatureDigestAlgorithm(signatureDigestAlgorithm)
                 .buildDataToSign();
 
         currentSession().setAttribute(SESSION_ATTR_DATA, dataToSign);
 
         LOG.info("Successfully prepared container for signing for file '{}'", containerName);
 
-        final String digestAlgorithm = certificateDTO.getSupportedAlgorithmNames().contains("SHA384") ?
-                "SHA-384" : "SHA-256";
-
-        final byte[] digest = MessageDigest.getInstance(digestAlgorithm).digest(dataToSign.getDataToSign());
+        final byte[] digest = signatureDigestAlgorithm.getDssDigestAlgorithm().getMessageDigest()
+                .digest(dataToSign.getDataToSign());
 
         DigestDTO digestDTO = new DigestDTO();
         digestDTO.setHash(DatatypeConverter.printBase64Binary(digest));
-        digestDTO.setHashFunction(digestAlgorithm);
+        digestDTO.setHashFunction(digestAlgorithmName.replace("SHA", "SHA-")); // SHA256 -> SHA-256
 
         return digestDTO;
     }
diff --git a/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java b/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java
index 2b07576..0c4b87b 100644
--- a/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java
+++ b/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java
@@ -24,6 +24,7 @@
 
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import eu.webeid.example.service.dto.SignatureAlgorithmDTO;
 import eu.webeid.security.authtoken.WebEidAuthToken;
 import org.apache.commons.lang3.ArrayUtils;
 import org.digidoc4j.DigestAlgorithm;
@@ -39,6 +40,7 @@
 import java.security.PrivateKey;
 import java.security.cert.X509Certificate;
 import java.util.Base64;
+import java.util.List;
 
 public class ObjectMother {
 
@@ -94,6 +96,9 @@ public static <T> T jsonStringToBean(String jsonString, Class<T> valueType) thro
     public static CertificateDTO mockPrepareRequest() {
         CertificateDTO certificateDTO = new CertificateDTO();
         certificateDTO.setCertificate(mockCertificateInBase64());
+        final SignatureAlgorithmDTO signatureAlgorithmDTO = new SignatureAlgorithmDTO();
+        signatureAlgorithmDTO.setHashAlgorithm("SHA256");
+        certificateDTO.setSupportedSignatureAlgorithms(List.of(signatureAlgorithmDTO));
         return certificateDTO;
     }
 

From 8a8ed7aa892ad52f8aa16f4dd3da40a2748b90b0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mart=20S=C3=B5mermaa?= <mrts@users.noreply.github.com>
Date: Fri, 25 Aug 2023 20:34:41 +0300
Subject: [PATCH 079/116] refactor,fix(tests): mock
 BLevelParameters.getSigningDate() instead of System.currentTimeMillis() to
 fix TslDownloadException
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Mart Sõmermaa <mrts@users.noreply.github.com>
---
 .../eu/webeid/example/DateMockingTest.java    | 44 -------------------
 .../eu/webeid/example/WebApplicationTest.java |  2 +-
 .../eu/webeid/example/testutil/Dates.java     | 10 +++--
 3 files changed, 7 insertions(+), 49 deletions(-)
 delete mode 100644 example/src/test/java/eu/webeid/example/DateMockingTest.java

diff --git a/example/src/test/java/eu/webeid/example/DateMockingTest.java b/example/src/test/java/eu/webeid/example/DateMockingTest.java
deleted file mode 100644
index 6c1c345..0000000
--- a/example/src/test/java/eu/webeid/example/DateMockingTest.java
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Copyright (c) 2020-2023 Estonian Information System Authority
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-package eu.webeid.example;
-
-import eu.webeid.example.testutil.Dates;
-import org.junit.jupiter.api.Test;
-
-import java.time.ZonedDateTime;
-
-import static eu.webeid.example.testutil.Dates.getSigningDateTime;
-import static org.assertj.core.api.Assertions.assertThat;
-
-public class DateMockingTest {
-
-    @Test
-    void testDateMocking() {
-        final ZonedDateTime signingDateTime = getSigningDateTime();
-        Dates.setMockedDate(signingDateTime);
-
-        // Mocking native methods is unreliable, see https://github.com/jmockit/jmockit1/issues/689#issuecomment-702965484
-        assertThat(System.currentTimeMillis()).isEqualTo(signingDateTime.toInstant().toEpochMilli());
-    }
-
-}
diff --git a/example/src/test/java/eu/webeid/example/WebApplicationTest.java b/example/src/test/java/eu/webeid/example/WebApplicationTest.java
index 4ab07ac..1de96c6 100644
--- a/example/src/test/java/eu/webeid/example/WebApplicationTest.java
+++ b/example/src/test/java/eu/webeid/example/WebApplicationTest.java
@@ -101,7 +101,7 @@ public void validateOcspResponse(XadesSignature xadesSignature) {
         final MockHttpSession session = new MockHttpSession();
         session.setAttribute("challenge-nonce", new ChallengeNonce(ObjectMother.VALID_CHALLENGE_NONCE, DateAndTime.utcNow().plusMinutes(1)));
 
-        Dates.setMockedDate(Dates.getSigningDateTime());
+        Dates.setMockedSignatureDate(Dates.getSigningDateTime());
 
         // Act and assert
         mvcBuilder.build().perform(get("/auth/challenge"));
diff --git a/example/src/test/java/eu/webeid/example/testutil/Dates.java b/example/src/test/java/eu/webeid/example/testutil/Dates.java
index f8b8b1f..9ab1260 100644
--- a/example/src/test/java/eu/webeid/example/testutil/Dates.java
+++ b/example/src/test/java/eu/webeid/example/testutil/Dates.java
@@ -22,11 +22,13 @@
 
 package eu.webeid.example.testutil;
 
+import eu.europa.esig.dss.model.BLevelParameters;
 import mockit.Mock;
 import mockit.MockUp;
 
 import java.time.ZoneId;
 import java.time.ZonedDateTime;
+import java.util.Date;
 
 public final class Dates {
 
@@ -35,11 +37,11 @@ public static ZonedDateTime getSigningDateTime() {
                 ZoneId.of("Europe/Tallinn"));
     }
 
-    public static void setMockedDate(ZonedDateTime mockedDateTime) {
-        new MockUp<System>() {
+    public static void setMockedSignatureDate(ZonedDateTime mockedDateTime) {
+        new MockUp<BLevelParameters>() {
             @Mock
-            public long currentTimeMillis() {
-                return mockedDateTime.toInstant().toEpochMilli();
+            public Date getSigningDate() {
+                return Date.from(mockedDateTime.toInstant());
             }
         };
     }

From 950f63e97f546769ce6103ca509e86cbd10059e1 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Tue, 5 Sep 2023 21:25:57 +0300
Subject: [PATCH 080/116] deps: upgrade DigiDoc4j to v5.2.0 and Spring Boot to
 2.7.15

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 example/pom.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/example/pom.xml b/example/pom.xml
index 2047739..3568a9c 100644
--- a/example/pom.xml
+++ b/example/pom.xml
@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>2.7.14</version>
+		<version>2.7.15</version>
 		<relativePath/> <!-- lookup parent from repository -->
 	</parent>
 	<groupId>org.webeid.example</groupId>
@@ -20,7 +20,7 @@
 		<java.version>11</java.version>
 		<maven-surefire-plugin.version>2.22.1</maven-surefire-plugin.version>
 		<webeid.version>3.0.0</webeid.version>
-		<digidoc4j.version>5.1.0</digidoc4j.version>
+		<digidoc4j.version>5.2.0</digidoc4j.version>
 		<jmockit.version>1.44</jmockit.version>
 	</properties>
 

From 880933f5d39b01b068ffc92f83434cc6bc725a62 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Tue, 5 Sep 2023 21:30:48 +0300
Subject: [PATCH 081/116] fix: use correct JSON property names in
 SignatureAlgorithmDTO,  add dash to digestAlgorithmName already during
 construction

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 .../example/service/SigningService.java       | 10 ++++----
 .../example/service/dto/CertificateDTO.java   |  6 ++---
 .../service/dto/SignatureAlgorithmDTO.java    | 25 ++++++++-----------
 .../webeid/example/testutil/ObjectMother.java |  2 +-
 4 files changed, 18 insertions(+), 25 deletions(-)

diff --git a/example/src/main/java/eu/webeid/example/service/SigningService.java b/example/src/main/java/eu/webeid/example/service/SigningService.java
index 410c921..1307bd0 100644
--- a/example/src/main/java/eu/webeid/example/service/SigningService.java
+++ b/example/src/main/java/eu/webeid/example/service/SigningService.java
@@ -50,7 +50,6 @@
 import javax.xml.bind.DatatypeConverter;
 import java.io.IOException;
 import java.io.InputStream;
-import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
@@ -103,10 +102,11 @@ public DigestDTO prepareContainer(CertificateDTO certificateDTO, WebEidAuthentic
         LOG.info("Preparing container for signing for file '{}'", containerName);
 
         final DigestAlgorithm signatureDigestAlgorithm = TokenAlgorithmSupport.determineSignatureDigestAlgorithm(certificate);
-        final String digestAlgorithmName = signatureDigestAlgorithm.uri().getRef().toUpperCase();
-        if (!certificateDTO.getSupportedAlgorithmNames().contains(digestAlgorithmName)) {
+        final String digestAlgorithmName = signatureDigestAlgorithm.uri().getRef()
+                .toUpperCase().replace("SHA", "SHA-"); // SHA256 -> SHA-256
+        if (!certificateDTO.getSupportedHashFunctionNames().contains(digestAlgorithmName)) {
             throw new IllegalArgumentException("Determined signature digest algorithm '" + digestAlgorithmName +
-                    "' is not supported. Supported algorithms are: " + String.join(", ", certificateDTO.getSupportedAlgorithmNames()));
+                    "' is not supported. Supported algorithms are: " + String.join(", ", certificateDTO.getSupportedHashFunctionNames()));
         }
 
         DataToSign dataToSign = SignatureBuilder
@@ -125,7 +125,7 @@ public DigestDTO prepareContainer(CertificateDTO certificateDTO, WebEidAuthentic
 
         DigestDTO digestDTO = new DigestDTO();
         digestDTO.setHash(DatatypeConverter.printBase64Binary(digest));
-        digestDTO.setHashFunction(digestAlgorithmName.replace("SHA", "SHA-")); // SHA256 -> SHA-256
+        digestDTO.setHashFunction(digestAlgorithmName);
 
         return digestDTO;
     }
diff --git a/example/src/main/java/eu/webeid/example/service/dto/CertificateDTO.java b/example/src/main/java/eu/webeid/example/service/dto/CertificateDTO.java
index cc0c103..4148165 100644
--- a/example/src/main/java/eu/webeid/example/service/dto/CertificateDTO.java
+++ b/example/src/main/java/eu/webeid/example/service/dto/CertificateDTO.java
@@ -22,8 +22,6 @@
 
 package eu.webeid.example.service.dto;
 
-import com.fasterxml.jackson.annotation.JsonProperty;
-
 import java.io.ByteArrayInputStream;
 import java.io.InputStream;
 import java.security.cert.CertificateException;
@@ -62,10 +60,10 @@ public X509Certificate toX509Certificate() throws CertificateException {
         return (X509Certificate) cf.generateCertificate(inStream);
     }
 
-    public List<String> getSupportedAlgorithmNames() {
+    public List<String> getSupportedHashFunctionNames() {
         return supportedSignatureAlgorithms == null ? new ArrayList<>() : supportedSignatureAlgorithms
                 .stream()
-                .map(SignatureAlgorithmDTO::getHashAlgorithm)
+                .map(SignatureAlgorithmDTO::getHashFunction)
                 .distinct()
                 .collect(Collectors.toList());
     }
diff --git a/example/src/main/java/eu/webeid/example/service/dto/SignatureAlgorithmDTO.java b/example/src/main/java/eu/webeid/example/service/dto/SignatureAlgorithmDTO.java
index 4ee0a5a..e578d27 100644
--- a/example/src/main/java/eu/webeid/example/service/dto/SignatureAlgorithmDTO.java
+++ b/example/src/main/java/eu/webeid/example/service/dto/SignatureAlgorithmDTO.java
@@ -22,18 +22,13 @@
 
 package eu.webeid.example.service.dto;
 
-import com.fasterxml.jackson.annotation.JsonProperty;
-
 public class SignatureAlgorithmDTO {
 
-    @JsonProperty("crypto-algo")
     private String cryptoAlgorithm;
 
-    @JsonProperty("hash-algo")
-    private String hashAlgorithm;
+    private String hashFunction;
 
-    @JsonProperty("padding-algo")
-    private String paddingAlgorithm;
+    private String paddingScheme;
 
     public String getCryptoAlgorithm() {
         return cryptoAlgorithm;
@@ -43,19 +38,19 @@ public void setCryptoAlgorithm(String cryptoAlgorithm) {
         this.cryptoAlgorithm = cryptoAlgorithm;
     }
 
-    public String getHashAlgorithm() {
-        return hashAlgorithm;
+    public String getHashFunction() {
+        return hashFunction;
     }
 
-    public void setHashAlgorithm(String hashAlgorithm) {
-        this.hashAlgorithm = hashAlgorithm;
+    public void setHashFunction(String hashFunction) {
+        this.hashFunction = hashFunction;
     }
 
-    public String getPaddingAlgorithm() {
-        return paddingAlgorithm;
+    public String getPaddingScheme() {
+        return paddingScheme;
     }
 
-    public void setPaddingAlgorithm(String paddingAlgorithm) {
-        this.paddingAlgorithm = paddingAlgorithm;
+    public void setPaddingScheme(String paddingScheme) {
+        this.paddingScheme = paddingScheme;
     }
 }
diff --git a/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java b/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java
index 0c4b87b..f053f72 100644
--- a/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java
+++ b/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java
@@ -97,7 +97,7 @@ public static CertificateDTO mockPrepareRequest() {
         CertificateDTO certificateDTO = new CertificateDTO();
         certificateDTO.setCertificate(mockCertificateInBase64());
         final SignatureAlgorithmDTO signatureAlgorithmDTO = new SignatureAlgorithmDTO();
-        signatureAlgorithmDTO.setHashAlgorithm("SHA256");
+        signatureAlgorithmDTO.setHashFunction("SHA-256");
         certificateDTO.setSupportedSignatureAlgorithms(List.of(signatureAlgorithmDTO));
         return certificateDTO;
     }

From 5d6bcfb2a7829c7b93dc3c4066f528bae921e975 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Thu, 7 Sep 2023 14:55:38 +0300
Subject: [PATCH 082/116] feat: validate signature algorithm values

WE2-817

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 .../service/dto/SignatureAlgorithmDTO.java    | 26 +++++++++++++++++++
 .../webeid/example/testutil/ObjectMother.java |  2 ++
 2 files changed, 28 insertions(+)

diff --git a/example/src/main/java/eu/webeid/example/service/dto/SignatureAlgorithmDTO.java b/example/src/main/java/eu/webeid/example/service/dto/SignatureAlgorithmDTO.java
index e578d27..94d1b8c 100644
--- a/example/src/main/java/eu/webeid/example/service/dto/SignatureAlgorithmDTO.java
+++ b/example/src/main/java/eu/webeid/example/service/dto/SignatureAlgorithmDTO.java
@@ -22,8 +22,25 @@
 
 package eu.webeid.example.service.dto;
 
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
+
 public class SignatureAlgorithmDTO {
 
+    // See https://github.com/web-eid/web-eid-app/blob/main/src/controller/command-handlers/signauthutils.cpp#L121-L127
+    private static final Set<String> SUPPORTED_CRYPTO_ALGOS = new HashSet<>(Arrays.asList(
+            "ECC", "RSA"
+    ));
+    private static final Set<String> SUPPORTED_PADDING_SCHEMES = new HashSet<>(Arrays.asList(
+            "NONE", "PKCS1.5", "PSS"
+    ));
+    // See https://github.com/web-eid/libelectronic-id/tree/main/src/electronic-id.cpp#L131
+    private static final Set<String> SUPPORTED_HASH_FUNCTIONS = new HashSet<>(Arrays.asList(
+            "SHA-224", "SHA-256", "SHA-384", "SHA-512",
+            "SHA3-224", "SHA3-256", "SHA3-384", "SHA3-512"
+    ));
+
     private String cryptoAlgorithm;
 
     private String hashFunction;
@@ -35,6 +52,9 @@ public String getCryptoAlgorithm() {
     }
 
     public void setCryptoAlgorithm(String cryptoAlgorithm) {
+        if (!SUPPORTED_CRYPTO_ALGOS.contains(cryptoAlgorithm)) {
+            throw new IllegalArgumentException("The provided crypto algorithm is not supported");
+        }
         this.cryptoAlgorithm = cryptoAlgorithm;
     }
 
@@ -43,6 +63,9 @@ public String getHashFunction() {
     }
 
     public void setHashFunction(String hashFunction) {
+        if (!SUPPORTED_HASH_FUNCTIONS.contains(hashFunction)) {
+            throw new IllegalArgumentException("The provided hash function is not supported");
+        }
         this.hashFunction = hashFunction;
     }
 
@@ -51,6 +74,9 @@ public String getPaddingScheme() {
     }
 
     public void setPaddingScheme(String paddingScheme) {
+        if (!SUPPORTED_PADDING_SCHEMES.contains(paddingScheme)) {
+            throw new IllegalArgumentException("The provided padding scheme is not supported");
+        }
         this.paddingScheme = paddingScheme;
     }
 }
diff --git a/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java b/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java
index f053f72..7218933 100644
--- a/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java
+++ b/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java
@@ -97,7 +97,9 @@ public static CertificateDTO mockPrepareRequest() {
         CertificateDTO certificateDTO = new CertificateDTO();
         certificateDTO.setCertificate(mockCertificateInBase64());
         final SignatureAlgorithmDTO signatureAlgorithmDTO = new SignatureAlgorithmDTO();
+        signatureAlgorithmDTO.setCryptoAlgorithm("RSA");
         signatureAlgorithmDTO.setHashFunction("SHA-256");
+        signatureAlgorithmDTO.setPaddingScheme("PKCS1.5");
         certificateDTO.setSupportedSignatureAlgorithms(List.of(signatureAlgorithmDTO));
         return certificateDTO;
     }

From 2d3bcf9fd74576522877257169c69e70b931d42d Mon Sep 17 00:00:00 2001
From: Kristel Merilain <kristel.merilain@ria.ee>
Date: Mon, 2 Oct 2023 09:13:01 +0300
Subject: [PATCH 083/116] Remove kinetic support (#33)

Signed-off-by: Kristel Merilain <kristel.merilain@ria.ee>
---
 .../resources/static/scripts/download-install-web-eid.sh   | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/example/src/main/resources/static/scripts/download-install-web-eid.sh b/example/src/main/resources/static/scripts/download-install-web-eid.sh
index efbfd0a..2e3b38a 100755
--- a/example/src/main/resources/static/scripts/download-install-web-eid.sh
+++ b/example/src/main/resources/static/scripts/download-install-web-eid.sh
@@ -61,7 +61,6 @@ test_sudo
 # version   name    LTS   supported until
 # 20.04     focal   LTS   2025-04
 # 22.04     jammy   LTS   2027-04
-# 22.10     kinetic   -   2023-07
 # 23.04     lunar   -     2024-01
 LATEST_SUPPORTED_UBUNTU_CODENAME='lunar'
 LATEST_SUPPORTED_UBUNTU_VERSION='23.04'
@@ -83,7 +82,7 @@ case $distro in
         bookworm)
           make_warn "Debian $codename is not officially supported"
           make_warn "Installing from ubuntu-kinetic repository"
-          make_install '22.10'
+          make_install '22.04'
           ;;
         *)
           make_fail "Debian $codename is not officially supported"
@@ -96,10 +95,10 @@ case $distro in
          *) ;;
       esac
       case $codename in
-        utopic|vivid|wily|trusty|artful|cosmic|disco|xenial|eoan|groovy|hirsute|impish|bionic)
+        utopic|vivid|wily|trusty|artful|cosmic|disco|xenial|eoan|groovy|hirsute|impish|bionic|kinetic)
           make_fail "Ubuntu $codename is not officially supported"
           ;;
-        focal|jammy|kinetic|lunar)
+        focal|jammy|lunar)
           make_install $release
           ;;
         *)

From 92fa4acdca2c742fe89fad1ad155b1d8cafc66b0 Mon Sep 17 00:00:00 2001
From: Kristel Merilain <kristel.merilain@ria.ee>
Date: Mon, 9 Oct 2023 10:13:09 +0300
Subject: [PATCH 084/116] Update download-install-web-eid.sh (#34)

Signed-off-by: Kristel Merilain <kristel.merilain@ria.ee>
---
 .../main/resources/static/scripts/download-install-web-eid.sh   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/example/src/main/resources/static/scripts/download-install-web-eid.sh b/example/src/main/resources/static/scripts/download-install-web-eid.sh
index 2e3b38a..4300382 100755
--- a/example/src/main/resources/static/scripts/download-install-web-eid.sh
+++ b/example/src/main/resources/static/scripts/download-install-web-eid.sh
@@ -81,7 +81,7 @@ case $distro in
           ;;
         bookworm)
           make_warn "Debian $codename is not officially supported"
-          make_warn "Installing from ubuntu-kinetic repository"
+          make_warn "Installing from ubuntu-jammy repository"
           make_install '22.04'
           ;;
         *)

From 6656005b5528497d890e4f95aa0a60bdf5f48d26 Mon Sep 17 00:00:00 2001
From: Kristel Merilain <kristel.merilain@ria.ee>
Date: Fri, 3 Nov 2023 08:04:47 +0200
Subject: [PATCH 085/116] Add mantic support (#35)

Signed-off-by: Kristel Merilain <kristel.merilain@ria.ee>
---
 .../resources/static/scripts/download-install-web-eid.sh   | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/example/src/main/resources/static/scripts/download-install-web-eid.sh b/example/src/main/resources/static/scripts/download-install-web-eid.sh
index 4300382..f866c64 100755
--- a/example/src/main/resources/static/scripts/download-install-web-eid.sh
+++ b/example/src/main/resources/static/scripts/download-install-web-eid.sh
@@ -62,8 +62,9 @@ test_sudo
 # 20.04     focal   LTS   2025-04
 # 22.04     jammy   LTS   2027-04
 # 23.04     lunar   -     2024-01
-LATEST_SUPPORTED_UBUNTU_CODENAME='lunar'
-LATEST_SUPPORTED_UBUNTU_VERSION='23.04'
+# 23.10     mantic   -     2024-07
+LATEST_SUPPORTED_UBUNTU_CODENAME='mantic'
+LATEST_SUPPORTED_UBUNTU_VERSION='23.10'
 
 # Check the distro and release.
 distro=$(lsb_release -is | tr '[:upper:]' '[:lower:]')
@@ -98,7 +99,7 @@ case $distro in
         utopic|vivid|wily|trusty|artful|cosmic|disco|xenial|eoan|groovy|hirsute|impish|bionic|kinetic)
           make_fail "Ubuntu $codename is not officially supported"
           ;;
-        focal|jammy|lunar)
+        focal|jammy|lunar|mantic)
           make_install $release
           ;;
         *)

From 26de20d3583c258b0ae6cafdf91c1e2c17a7cb53 Mon Sep 17 00:00:00 2001
From: Raul Metsma <raul@metsma.ee>
Date: Tue, 7 Nov 2023 12:49:29 +0200
Subject: [PATCH 086/116] Update tests

WE2-834

Signed-off-by: Raul Metsma <raul@metsma.ee>
---
 .../java/eu/webeid/example/testutil/ObjectMother.java     | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java b/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java
index 7218933..e6de802 100644
--- a/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java
+++ b/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java
@@ -53,10 +53,10 @@ public class ObjectMother {
         try {
             VALID_AUTH_TOKEN = MAPPER.readValue(
                     "{\"algorithm\":\"ES384\"," +
-                            "\"unverifiedCertificate\":\"MIIEAzCCA2WgAwIBAgIQHWbVWxCkcYxbzz9nBzGrDzAKBggqhkjOPQQDBDBgMQswCQYDVQQGEwJFRTEbMBkGA1UECgwSU0sgSUQgU29sdXRpb25zIEFTMRcwFQYDVQRhDA5OVFJFRS0xMDc0NzAxMzEbMBkGA1UEAwwSVEVTVCBvZiBFU1RFSUQyMDE4MB4XDTE4MTAyMzE1MzM1OVoXDTIzMTAyMjIxNTk1OVowfzELMAkGA1UEBhMCRUUxKjAoBgNVBAMMIUrDlUVPUkcsSkFBSy1LUklTVEpBTiwzODAwMTA4NTcxODEQMA4GA1UEBAwHSsOVRU9SRzEWMBQGA1UEKgwNSkFBSy1LUklTVEpBTjEaMBgGA1UEBRMRUE5PRUUtMzgwMDEwODU3MTgwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQ/u+9IncarVpgrACN6aRgUiT9lWC9H7llnxoEXe8xoCI982Md8YuJsVfRdeG5jwVfXe0N6KkHLFRARspst8qnACULkqFNat/Kj+XRwJ2UANeJ3Gl5XBr+tnLNuDf/UiR6jggHDMIIBvzAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIDiDBHBgNVHSAEQDA+MDIGCysGAQQBg5EhAQIBMCMwIQYIKwYBBQUHAgEWFWh0dHBzOi8vd3d3LnNrLmVlL0NQUzAIBgYEAI96AQIwHwYDVR0RBBgwFoEUMzgwMDEwODU3MThAZWVzdGkuZWUwHQYDVR0OBBYEFOTddHnA9rJtbLwhBNyn0xZTQGCMMGEGCCsGAQUFBwEDBFUwUzBRBgYEAI5GAQUwRzBFFj9odHRwczovL3NrLmVlL2VuL3JlcG9zaXRvcnkvY29uZGl0aW9ucy1mb3ItdXNlLW9mLWNlcnRpZmljYXRlcy8TAkVOMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAfBgNVHSMEGDAWgBTAhJkpxE6fOwI09pnhClYACCk+ezBzBggrBgEFBQcBAQRnMGUwLAYIKwYBBQUHMAGGIGh0dHA6Ly9haWEuZGVtby5zay5lZS9lc3RlaWQyMDE4MDUGCCsGAQUFBzAChilodHRwOi8vYy5zay5lZS9UZXN0X29mX0VTVEVJRDIwMTguZGVyLmNydDAKBggqhkjOPQQDBAOBiwAwgYcCQgHYElkX4vn821JR41akI/lpexCnJFUf4GiOMbTfzAxpZma333R8LNrmI4zbzDp03hvMTzH49g1jcbGnaCcbboS8DAJBObenUp++L5VqldHwKAps61nM4V+TiLqD0jILnTzl+pV+LexNL3uGzUfvvDNLHnF9t6ygi8+Bsjsu3iHHyM1haKM=\"," +
-                            "\"appVersion\":\"https://web-eid.eu/web-eid-app/releases/2.0.0+0\"," +
-                            "\"signature\":\"tbMTrZD4CKUj6atjNCHZruIeyPFAEJk2htziQ1t08BSTyA5wKKqmNmzsJ7562hWQ6+tJd6nlidHGE5jVVJRKmPtNv3f9gbT2b7RXcD4t5Pjn8eUCBCA4IX99Af32Z5ln\"," +
-                            "\"format\":\"web-eid:1\"}",
+                            "\"unverifiedCertificate\":\"MIIEBDCCA2WgAwIBAgIQY5OGshxoPMFg+Wfc0gFEaTAKBggqhkjOPQQDBDBgMQswCQYDVQQGEwJFRTEbMBkGA1UECgwSU0sgSUQgU29sdXRpb25zIEFTMRcwFQYDVQRhDA5OVFJFRS0xMDc0NzAxMzEbMBkGA1UEAwwSVEVTVCBvZiBFU1RFSUQyMDE4MB4XDTIxMDcyMjEyNDMwOFoXDTI2MDcwOTIxNTk1OVowfzELMAkGA1UEBhMCRUUxKjAoBgNVBAMMIUrDlUVPUkcsSkFBSy1LUklTVEpBTiwzODAwMTA4NTcxODEQMA4GA1UEBAwHSsOVRU9SRzEWMBQGA1UEKgwNSkFBSy1LUklTVEpBTjEaMBgGA1UEBRMRUE5PRUUtMzgwMDEwODU3MTgwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQmwEKsJTjaMHSaZj19hb9EJaJlwbKc5VFzmlGMFSJVk4dDy+eUxa5KOA7tWXqzcmhh5SYdv+MxcaQKlKWLMa36pfgv20FpEDb03GCtLqjLTRZ7649PugAQ5EmAqIic29CjggHDMIIBvzAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIDiDBHBgNVHSAEQDA+MDIGCysGAQQBg5EhAQIBMCMwIQYIKwYBBQUHAgEWFWh0dHBzOi8vd3d3LnNrLmVlL0NQUzAIBgYEAI96AQIwHwYDVR0RBBgwFoEUMzgwMDEwODU3MThAZWVzdGkuZWUwHQYDVR0OBBYEFPlp/ceABC52itoqppEmbf71TJz6MGEGCCsGAQUFBwEDBFUwUzBRBgYEAI5GAQUwRzBFFj9odHRwczovL3NrLmVlL2VuL3JlcG9zaXRvcnkvY29uZGl0aW9ucy1mb3ItdXNlLW9mLWNlcnRpZmljYXRlcy8TAkVOMCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAfBgNVHSMEGDAWgBTAhJkpxE6fOwI09pnhClYACCk+ezBzBggrBgEFBQcBAQRnMGUwLAYIKwYBBQUHMAGGIGh0dHA6Ly9haWEuZGVtby5zay5lZS9lc3RlaWQyMDE4MDUGCCsGAQUFBzAChilodHRwOi8vYy5zay5lZS9UZXN0X29mX0VTVEVJRDIwMTguZGVyLmNydDAKBggqhkjOPQQDBAOBjAAwgYgCQgDCAgybz0u3W+tGI+AX+PiI5CrE9ptEHO5eezR1Jo4j7iGaO0i39xTGUB+NSC7P6AQbyE/ywqJjA1a62jTLcS9GHAJCARxN4NO4eVdWU3zVohCXm8WN3DWA7XUcn9TZiLGQ29P4xfQZOXJi/z4PNRRsR4plvSNB3dfyBvZn31HhC7my8woi\"," +
+                            "\"appVersion\":\"https://web-eid.eu/web-eid-app/releases/2.5.0+0\"," +
+                            "\"signature\":\"0Ov7ME6pTY1K2GXMj8Wxov/o2fGIMEds8OMY5dKdkB0nrqQX7fG1E5mnsbvyHpMDecMUH6Yg+p1HXdgB/lLqOcFZjt/OVXPjAAApC5d1YgRYATDcxsR1zqQwiNcHdmWn\"," +
+                            "\"format\":\"web-eid:1.0\"}",
                     WebEidAuthToken.class);
         } catch (JsonProcessingException e) {
             throw new RuntimeException("Token parsing failed");

From 55f2057e717e0dc6c53d45a3d7954c8112c9c2bd Mon Sep 17 00:00:00 2001
From: Kristel Merilain <kristel.merilain@ria.ee>
Date: Wed, 29 Nov 2023 13:51:12 +0200
Subject: [PATCH 087/116] Update Ubuntu package version (#37)

Signed-off-by: Kristel Merilain <kristel.merilain@ria.ee>
---
 .../main/resources/static/scripts/download-install-web-eid.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/example/src/main/resources/static/scripts/download-install-web-eid.sh b/example/src/main/resources/static/scripts/download-install-web-eid.sh
index f866c64..cba4fc1 100755
--- a/example/src/main/resources/static/scripts/download-install-web-eid.sh
+++ b/example/src/main/resources/static/scripts/download-install-web-eid.sh
@@ -34,9 +34,9 @@ make_install() {
   echo "Installing Web eID packages for Ubuntu $1"
   TMPDIR=`mktemp -d`
   cd $TMPDIR
-  VERSION='2.4.0'
+  VERSION='2.5.0'
   # BUILD=`[[ $1 == *0 ]] && echo 555 || echo 552`
-  BUILD='639'
+  BUILD='642'
   UBUNTU_VERSION=${1//./}
   wget "https://installer.id.ee/media/web-eid/Ubuntu/web-eid_${VERSION}.${BUILD}-${UBUNTU_VERSION}_all.deb"
   wget "https://installer.id.ee/media/web-eid/Ubuntu/web-eid-chrome_${VERSION}.${BUILD}-${UBUNTU_VERSION}_all.deb"

From 69fc172bfb8949c50c5b6b6fc9fa30c0269b0d72 Mon Sep 17 00:00:00 2001
From: Raul Metsma <raul@metsma.ee>
Date: Fri, 5 Jan 2024 09:18:27 +0200
Subject: [PATCH 088/116] Logout accpets POST requests

WE2-850

Signed-off-by: Raul Metsma <raul@metsma.ee>
---
 example/src/main/resources/templates/welcome.html | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/example/src/main/resources/templates/welcome.html b/example/src/main/resources/templates/welcome.html
index ab0a093..67b3131 100644
--- a/example/src/main/resources/templates/welcome.html
+++ b/example/src/main/resources/templates/welcome.html
@@ -59,8 +59,17 @@ <h2 class="adding-signature">Digital signing</h2>
     const fileNameText = document.querySelector("#file-name");
     const exampleDocument = document.querySelector("#example-document");
 
+    const csrfToken = document.querySelector('#csrftoken').content;
+    const csrfHeaderName = document.querySelector('#csrfheadername').content;
+
     document.querySelector("#webeid-logout-button").addEventListener("click", async () => {
-        await fetch("/logout");
+        await fetch("/logout", {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                [csrfHeaderName]: csrfToken
+            }
+        });
         window.location.href = "/";
     });
 
@@ -68,9 +77,6 @@ <h2 class="adding-signature">Digital signing</h2>
         window.location.href = "/sign/download";
     });
 
-    const csrfToken = document.querySelector('#csrftoken').content;
-    const csrfHeaderName = document.querySelector('#csrfheadername').content;
-
     const lang = new URLSearchParams(window.location.search).get("lang") || "en";
 
     signButton.addEventListener("click", async () => {

From 559e5cd06ca38f1656a801c68ea5a0e4360164b9 Mon Sep 17 00:00:00 2001
From: Raul Metsma <raul@metsma.ee>
Date: Fri, 5 Jan 2024 21:07:47 +0200
Subject: [PATCH 089/116] Use session fixation protection strategy

WE2-849

Signed-off-by: Raul Metsma <raul@metsma.ee>
---
 .../example/security/WebEidAjaxLoginProcessingFilter.java  | 2 ++
 .../test/java/eu/webeid/example/WebApplicationTest.java    | 7 +++++--
 .../test/java/eu/webeid/example/testutil/HttpHelper.java   | 6 +++---
 3 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java b/example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java
index de319eb..16bf0c4 100644
--- a/example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java
+++ b/example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java
@@ -39,6 +39,7 @@
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
+import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
 
 public class WebEidAjaxLoginProcessingFilter extends AbstractAuthenticationProcessingFilter {
     private static final Logger LOG = LoggerFactory.getLogger(WebEidAjaxLoginProcessingFilter.class);
@@ -51,6 +52,7 @@ public WebEidAjaxLoginProcessingFilter(
         this.setAuthenticationManager(authenticationManager);
         this.setAuthenticationSuccessHandler(new AjaxAuthenticationSuccessHandler());
         this.setAuthenticationFailureHandler(new AjaxAuthenticationFailureHandler());
+        setSessionAuthenticationStrategy(new SessionFixationProtectionStrategy());
     }
 
     @Override
diff --git a/example/src/test/java/eu/webeid/example/WebApplicationTest.java b/example/src/test/java/eu/webeid/example/WebApplicationTest.java
index 1de96c6..643734e 100644
--- a/example/src/test/java/eu/webeid/example/WebApplicationTest.java
+++ b/example/src/test/java/eu/webeid/example/WebApplicationTest.java
@@ -37,6 +37,7 @@
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.mock.web.MockHttpSession;
 import org.springframework.test.context.web.WebAppConfiguration;
+import org.springframework.test.web.servlet.MvcResult;
 import org.springframework.test.web.servlet.setup.DefaultMockMvcBuilder;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 import org.springframework.web.context.WebApplicationContext;
@@ -98,7 +99,7 @@ public void validateOcspResponse(XadesSignature xadesSignature) {
             }
         };
 
-        final MockHttpSession session = new MockHttpSession();
+        MockHttpSession session = new MockHttpSession();
         session.setAttribute("challenge-nonce", new ChallengeNonce(ObjectMother.VALID_CHALLENGE_NONCE, DateAndTime.utcNow().plusMinutes(1)));
 
         Dates.setMockedSignatureDate(Dates.getSigningDateTime());
@@ -106,7 +107,9 @@ public void validateOcspResponse(XadesSignature xadesSignature) {
         // Act and assert
         mvcBuilder.build().perform(get("/auth/challenge"));
 
-        MockHttpServletResponse response = HttpHelper.login(mvcBuilder, session, ObjectMother.mockAuthToken());
+        MvcResult result = HttpHelper.login(mvcBuilder, session, ObjectMother.mockAuthToken());
+        session = (MockHttpSession) result.getRequest().getSession();
+        MockHttpServletResponse response = result.getResponse();
         assertEquals("{\"sub\":\"JAAK-KRISTJAN JÕEORG\",\"auth\":[\"ROLE_USER\"]}", response.getContentAsString());
 
         /* Example how to test file upload.
diff --git a/example/src/test/java/eu/webeid/example/testutil/HttpHelper.java b/example/src/test/java/eu/webeid/example/testutil/HttpHelper.java
index 2a548df..03ae120 100644
--- a/example/src/test/java/eu/webeid/example/testutil/HttpHelper.java
+++ b/example/src/test/java/eu/webeid/example/testutil/HttpHelper.java
@@ -26,6 +26,7 @@
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.mock.web.MockHttpSession;
 import org.springframework.mock.web.MockMultipartFile;
+import org.springframework.test.web.servlet.MvcResult;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 import org.springframework.test.web.servlet.setup.DefaultMockMvcBuilder;
 import eu.webeid.example.security.dto.AuthTokenDTO;
@@ -38,7 +39,7 @@
 
 public class HttpHelper {
 
-    public static MockHttpServletResponse login(DefaultMockMvcBuilder mvcBuilder, MockHttpSession session, AuthTokenDTO authTokenDTO) throws Exception {
+    public static MvcResult login(DefaultMockMvcBuilder mvcBuilder, MockHttpSession session, AuthTokenDTO authTokenDTO) throws Exception {
         // @formatter:off
         return mvcBuilder
                 .build()
@@ -47,8 +48,7 @@ public static MockHttpServletResponse login(DefaultMockMvcBuilder mvcBuilder, Mo
                         .with(csrf())
                         .contentType(MediaType.APPLICATION_JSON)
                         .content(ObjectMother.toJson(authTokenDTO)))
-                .andReturn()
-                .getResponse();
+                .andReturn();
         // @formatter:on
     }
 

From 07663e72f0ba3c56d0afeab5c3da7ae0351ba4b9 Mon Sep 17 00:00:00 2001
From: Raul Metsma <raul@metsma.ee>
Date: Fri, 5 Jan 2024 09:24:36 +0200
Subject: [PATCH 090/116] All ID-Card certificates are expired in EstEID 2015

WE2-839

Signed-off-by: Raul Metsma <raul@metsma.ee>
---
 .../example/config/ValidationConfiguration.java  |  10 +++-------
 .../certs/dev/TEST_of_ESTEID-SK_2015.cer         | Bin 1671 -> 0 bytes
 .../main/resources/certs/prod/ESTEID-SK_2015.cer | Bin 1652 -> 0 bytes
 3 files changed, 3 insertions(+), 7 deletions(-)
 delete mode 100644 example/src/main/resources/certs/dev/TEST_of_ESTEID-SK_2015.cer
 delete mode 100644 example/src/main/resources/certs/prod/ESTEID-SK_2015.cer

diff --git a/example/src/main/java/eu/webeid/example/config/ValidationConfiguration.java b/example/src/main/java/eu/webeid/example/config/ValidationConfiguration.java
index 26c6e0e..f1f78f7 100644
--- a/example/src/main/java/eu/webeid/example/config/ValidationConfiguration.java
+++ b/example/src/main/java/eu/webeid/example/config/ValidationConfiguration.java
@@ -126,15 +126,11 @@ public X509Certificate[] loadTrustedCACertificatesFromTrustStore() {
     @Bean
     public AuthTokenValidator validator() {
         try {
-            AuthTokenValidatorBuilder validatorBuilder = new AuthTokenValidatorBuilder()
+            return new AuthTokenValidatorBuilder()
                     .withSiteOrigin(URI.create(yamlConfig().getLocalOrigin()))
                     .withTrustedCertificateAuthorities(loadTrustedCACertificatesFromCerFiles())
-                    .withTrustedCertificateAuthorities(loadTrustedCACertificatesFromTrustStore());
-            if (activeProfile.equals("dev")) {
-                // Enable support for ESTEID 2015 test certificates in development profile.
-                validatorBuilder = validatorBuilder.withNonceDisabledOcspUrls(URI.create("http://aia.demo.sk.ee/esteid2015"));
-            }
-            return validatorBuilder.build();
+                    .withTrustedCertificateAuthorities(loadTrustedCACertificatesFromTrustStore())
+                    .build();
         } catch (JceException e) {
             throw new RuntimeException("Error building the Web eID auth token validator.", e);
         }
diff --git a/example/src/main/resources/certs/dev/TEST_of_ESTEID-SK_2015.cer b/example/src/main/resources/certs/dev/TEST_of_ESTEID-SK_2015.cer
deleted file mode 100644
index 7749286c895084bf2d7bacb98b742a01cd684122..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1671
zcmb7EX;4#F6wZ5ji4YT@LXe$^l>i-*`vL)3WD$Z;z=c%<B|v!8$dWXPA__%=1T2V%
zXi<csC{T6Uf{5)@DcGo~EV9Xz3JRi9s;z*wC@Azrh3a(rqxa7}-<fmo`OcYhKA<3H
z0|hCmk_baEtf%Mna+h`d&{Tx1-i8}uS_f!kZ9ApEa*75)R1yJXqKknxnHY|c^<f?l
zwE_$cpiqsyLm8o%R4z&s$z>QO6{Uz|Nti5Ys|*EzrHLU@nPI%pFormh!Q(M}UdIaK
z<RWn@j#A}Pj1eLh%Nai2s1Yz+$f^w)YD<ztUa}+>h5^P>8p=gE=t|&>IygG=jdVG{
z0pJd2jsw?)>%s>~|DWJeK-UnAqw1^;3*qtXQQ++83{VHu5}3bcZn(faG>jMEYabfO
z-~f~h6tLCX4T4Anq5{?>;C>3MfFXkFHX*9@YOKZPhws_e%qlnO<cJk=|5Ha+Q}{Pd
zYhznxbdm9K&$W48*iADxMNUk9T<Q3OjG?m5ph&4~KjqTC^1iRz%wH<|rLom$(U@`m
zj=&pN`?Dt=pETi&pI~%fHBY6li%px(zwn1O_(fLG-ZxnuPHG-=d)~snJ+-c1El7Xx
z;@Fj*z(%HdmCJW(Mw`=Oq>xqQNRwIF&n`~1KE|CGi>^}+HLlswpy~$=6&4-s8xoQu
zPWZNaI-1?K_1m)=i%?y>INNxazUcC3=NFXg{Lh`Ad45@PS*LrIYTEetNUfHrv#Vuz
z!^?qN&#WMG!<^jJDzbBy1YKXU#6!Pztk|T2UvZ`;T2i5xe=9g>AlSFJ&0{qDxBce}
zGxzCtI8=KbySVY7swKF3L{S$NR&#0?itslb-bPA?nh!_1G3$MPD2FPu$I{g%r!&R2
z7Wd~~5Wl%Zb&m2WF~aUx^f0H!IT=uI@RRV8ox@z?+~Vy|8D@qT+J=qy&-q8w#2zEW
z2o9}C(Yo!lu)kE2_u_8K=yLn6HR<Y!3@ADL#9)tV$ge<MFqwL|K9E#L72Qwr>I5`n
zsa6&<RK(r-tJ=fvFugXUu6V-x$e*Hzdba3sY_QL>tfKJg0aY#En=1H<22%?{K4E76
z{^(l5NYEX2cK46HW>pDOFcBg^RSKAfPlPtG#D~dzIf763E`#%ql=4$-y(^>3bedFk
z*cwyfw%J$HX0C%6A_f7?lfEw4%`!hX+RE7Mx;}dwWi`;zyw`=GIRwF%l?)O!n1Kku
zM*t;LJ|IH~)L}`4Ag~-PBWvN9L|OzxhV;#HxkTp5W~Zg4v0kka+h=_!puY74eg_fX
zK?qo)$)m5ys|CpTg%39H*7z(CSFrN96F~4iumY4^Ey9}vta2Ii_J7@gsrh0B!T=WY
zWQp1f7QA2~VE5j606|D5*a=q5V*n|QHPzw8C15GyH`NK_1Y)5~0zwwTV5Q%iuzz|W
z#1%-!)-1L_oG9S&1n)=^jx>@a&`6TN$D5UaNm)Xv9QbHRTO#fNue{Q!(oxCzcXy?j
zL@X1@#nN=PP?{`b%Q2Z;fMG(RR2YYUlKi%0;F?NQKoFtDWzSej1FN!l*U`=!Cn?sn
zJBhYMN6%(Y5V8znN<+$f>|Emwh@a_k>IXiqZaCYfpj)CtH)li_+}E{7H<1W@=XS#^
zk5pEZ4tXR;>CsZo?QFTW^+PAsUsa#xxl6cvJp#_n^fag0JjuBf6Th2TRy19ex5>-q
zfckldT}3N)JvnlfKYgd2=Q$TXbg#><v~R{E-t_x+VK;ZTe_KzaNsfI+ZCugz0~^EV
zS_U2tPFIL%L+74M>X!ff?V+wV{=G&xpz=_SnV;64Ak!`EPhIYw8ESfeZIIag<Yb|1
npsl+1pr516$c_AHe8)6XZ5sGEagHA48gu0*>&l~psrr8d>b^~V

diff --git a/example/src/main/resources/certs/prod/ESTEID-SK_2015.cer b/example/src/main/resources/certs/prod/ESTEID-SK_2015.cer
deleted file mode 100644
index b16695560fd7f7498f20dedd8ac67098f6eeee57..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1652
zcmXqLVk<CcVvSh9%*4pVB;e}7$=yEZy<%9=n#=ccq@xXZ**LY@JlekVGBWb8G8mK^
zavN~6F^96S2{XC68Y&qmfH+({l8(U&!Kp<hnQ56N#i^-9nYo$8*{Q|ZrNxFC25KNR
z%sle0t_sc&HOYx3nfZA@US3I2szOkHeu;v!qoIU>7~D2aMlsHU>`aH^Y`xS}0|jwj
zLsLT|LvuqTV+#}GC<%Te17ib_fRVAOrKx3<K{DwM6E_eAIV_Qf&o3m%)m7Kfz}&>#
zz|hzbD#6Ud=NcU1>gl2z?5$vAU}$R4#H55AAdIXG%uP)E3_x)%rY0svhD(jVu3Y$-
zdv)*Rlc$-Z+A{VrzWXzG;oX))^Dp^`Io@Z~RhZCS=H;?cUo-Y&lG_^QuoG;OyZ1TY
z&s`VxQ>X7!_pTEYrSzX%f6IEM*H+bX4M&76M}F!Q1#6Zl*>x_bA4KU)e5SWd!23qP
zUT&sj9i88z`6i*7+Fow_>y%EOnrrkR^<U|#yPw{r%_?A%6%~t4dsLDAKV*yhm5XY#
zS_9IKt#9u7V<VT#=ietD^w@(b;Eo#i_Vdo&C*<GM`DmJD<gdGPis8JI_R`Q*-8{$s
z{mHI+e4fceydq#;;=lPZyV=gSF4}j@HE%}Qk`qVt-mRH-(=qk~+ue`rA6M624SiIs
zbMfz!pJfN?&P0n{J9zbXaIf9|Rp%H!a@5Y5^=d`R^%F|#XYXqJUcoO{{q&{EqJZ^p
zv!r$|Y~py&ByK%>xyWPr3-vOBNkXD#Lh-*2P4$x$Xx&sBFWoh{-1IZgvIBe5mKc1o
zY3y7Ttz-CNoqCgT7GrdSOPh(Q>?3uxOCrJ_G$&MgZk60RkF{HF#Sb6H`f7&&@0dwf
zPp34UYA}8ywRHub`R|7^otx`Uh?~ykHcRW;Q{?ZX?RMyhv0RXg$oZvl4p~)SI{Tb<
z8$4b$`Ml@aQm!+eJD<d8cW2eb+U4$fFyDRVszph9i(f3dlb)OsRB%D`HDg#X%k1aJ
zvoj{Xiaa3NR`Sx3iJ6gsaWOD808<2;fjlsE$ttq|Q+0!g(5EQ7S79>y&$6xg_)+!b
zO7ANoGYw=x3iw#WSVT6j?$|T)YSNNcEsnEWWQ(kui`)YZ_(0P9jEw(TSb&+6&7d5_
zS70eH$TQ$zV`E|HuVQ2ZW=3`vhVC~GK&Am3r#2fS3*$L?Mn(f=14T9tAeWVuorzIQ
zG^3=Xpx8=Zzr4I$51gg+odbdmxDh&-kU7lA92Ns1kj26vhj19M0V!ZgH*f@r$+1`&
zSS&O%U;$<fB?GQ@4hASNP-<6zv2oD`>L4RjSriQ9U@m3mgtM67EEa<r7@Lt1?0W?m
z-+-}A1mrWI$MTbl3t&ETH1L9}U~032sz7)>8CVDv>$|$fqm)KK9;h^m2bD(g&W?I1
zsYQCpMI{EdAZN<6m>HND7%ebZpx35@VPH{eL4I*&Nq$kKesWPxv3_c5a&l2}B2aq{
za(MwPK$)8u85v5#c#_QReYI~LUOw&9aV`Hi;jMq~KKb|XU2x?R9jl3!XIVo0ZYv(S
z&p2Op@<RUXCf%CVj}78-=U>V?mgOcP?e^&Swgg`8Lk9Lwc8aMT*f_WD$n`_=Ts!uy
z^C+wf{uaFH+$!mv8#xO1CVihh;a)`luN!XPYX3c|U8ml7TE^l~-|g$S%5Hpp!sL4X
zx$eIe>(5o)ubH-n<NHp|HkEDX1tZ-2=f-Z^Jge1xUe67!Y{^Vj{e{iG^6|M#^$zOZ
zR_MO8GVcp_{+ta8r}pl;`!7HB{kio<=Mv9|T{@w@Kz?_`$z==v+z@3DJ^kp}k97OP
a*7^5-xW|ieyh<?TzRuIX?f)?k)29Gp97B)*


From 1c0e551e5a8ca513f6c93a53fa65303e53c5280e Mon Sep 17 00:00:00 2001
From: Raul Metsma <raul@metsma.ee>
Date: Fri, 5 Jan 2024 09:22:20 +0200
Subject: [PATCH 091/116] Set __Host- prefix to session cookie

WE2-853

Signed-off-by: Raul Metsma <raul@metsma.ee>
---
 .../java/eu/webeid/example/config/ApplicationConfiguration.java | 2 --
 example/src/main/resources/application.properties               | 1 +
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java b/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java
index 0b5c2dc..96430c1 100644
--- a/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java
+++ b/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java
@@ -64,8 +64,6 @@ protected void configure(HttpSecurity http) throws Exception {
             .authenticated()
          .and()
             .logout()
-            .logoutUrl("/logout")
-            .deleteCookies("JSESSIONID")
             .logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler())
          .and()
             .headers()
diff --git a/example/src/main/resources/application.properties b/example/src/main/resources/application.properties
index cbb42d2..7d70ac4 100644
--- a/example/src/main/resources/application.properties
+++ b/example/src/main/resources/application.properties
@@ -1 +1,2 @@
 spring.profiles.active=dev
+server.servlet.session.cookie.name=__Host-JSESSIONID
\ No newline at end of file

From ada443e153f5f1ef1f7243af0770e65537845120 Mon Sep 17 00:00:00 2001
From: Raul Metsma <raul@metsma.ee>
Date: Tue, 19 Mar 2024 22:04:09 +0200
Subject: [PATCH 092/116] Update copyright year

WE2-887

Signed-off-by: Raul Metsma <raul@metsma.ee>
---
 .../eu/webeid/example/WebEidSpringbootExampleApplication.java   | 2 +-
 .../java/eu/webeid/example/config/ApplicationConfiguration.java | 2 +-
 .../eu/webeid/example/config/SameSiteCookieConfiguration.java   | 2 +-
 .../webeid/example/config/SessionBackedChallengeNonceStore.java | 2 +-
 .../java/eu/webeid/example/config/ValidationConfiguration.java  | 2 +-
 example/src/main/java/eu/webeid/example/config/YAMLConfig.java  | 2 +-
 .../example/security/AuthTokenDTOAuthenticationProvider.java    | 2 +-
 .../example/security/WebEidAjaxLoginProcessingFilter.java       | 2 +-
 .../java/eu/webeid/example/security/WebEidAuthentication.java   | 2 +-
 .../example/security/ajax/AjaxAuthenticationFailureHandler.java | 2 +-
 .../example/security/ajax/AjaxAuthenticationSuccessHandler.java | 2 +-
 .../main/java/eu/webeid/example/security/dto/AuthTokenDTO.java  | 2 +-
 .../src/main/java/eu/webeid/example/service/SigningService.java | 2 +-
 .../main/java/eu/webeid/example/service/dto/CertificateDTO.java | 2 +-
 .../main/java/eu/webeid/example/service/dto/ChallengeDTO.java   | 2 +-
 .../src/main/java/eu/webeid/example/service/dto/DigestDTO.java  | 2 +-
 .../src/main/java/eu/webeid/example/service/dto/FileDTO.java    | 2 +-
 .../eu/webeid/example/service/dto/SignatureAlgorithmDTO.java    | 2 +-
 .../main/java/eu/webeid/example/service/dto/SignatureDTO.java   | 2 +-
 .../src/main/java/eu/webeid/example/web/WelcomeController.java  | 2 +-
 .../java/eu/webeid/example/web/rest/ChallengeController.java    | 2 +-
 .../main/java/eu/webeid/example/web/rest/SigningController.java | 2 +-
 example/src/main/resources/static/js/errors.js                  | 2 +-
 .../eu/webeid/example/AuthenticationRestControllerTest.java     | 2 +-
 example/src/test/java/eu/webeid/example/WebApplicationTest.java | 2 +-
 example/src/test/java/eu/webeid/example/testutil/Dates.java     | 2 +-
 .../src/test/java/eu/webeid/example/testutil/HttpHelper.java    | 2 +-
 .../src/test/java/eu/webeid/example/testutil/ObjectMother.java  | 2 +-
 28 files changed, 28 insertions(+), 28 deletions(-)

diff --git a/example/src/main/java/eu/webeid/example/WebEidSpringbootExampleApplication.java b/example/src/main/java/eu/webeid/example/WebEidSpringbootExampleApplication.java
index 2af43ab..f82bac0 100644
--- a/example/src/main/java/eu/webeid/example/WebEidSpringbootExampleApplication.java
+++ b/example/src/main/java/eu/webeid/example/WebEidSpringbootExampleApplication.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2023 Estonian Information System Authority
+ * Copyright (c) 2020-2024 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java b/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java
index 96430c1..9fba315 100644
--- a/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java
+++ b/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2023 Estonian Information System Authority
+ * Copyright (c) 2020-2024 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/config/SameSiteCookieConfiguration.java b/example/src/main/java/eu/webeid/example/config/SameSiteCookieConfiguration.java
index 1b87329..7940165 100644
--- a/example/src/main/java/eu/webeid/example/config/SameSiteCookieConfiguration.java
+++ b/example/src/main/java/eu/webeid/example/config/SameSiteCookieConfiguration.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2023 Estonian Information System Authority
+ * Copyright (c) 2020-2024 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/config/SessionBackedChallengeNonceStore.java b/example/src/main/java/eu/webeid/example/config/SessionBackedChallengeNonceStore.java
index 00e0b9f..c94a324 100644
--- a/example/src/main/java/eu/webeid/example/config/SessionBackedChallengeNonceStore.java
+++ b/example/src/main/java/eu/webeid/example/config/SessionBackedChallengeNonceStore.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2023 Estonian Information System Authority
+ * Copyright (c) 2020-2024 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/config/ValidationConfiguration.java b/example/src/main/java/eu/webeid/example/config/ValidationConfiguration.java
index f1f78f7..83f0f47 100644
--- a/example/src/main/java/eu/webeid/example/config/ValidationConfiguration.java
+++ b/example/src/main/java/eu/webeid/example/config/ValidationConfiguration.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2023 Estonian Information System Authority
+ * Copyright (c) 2020-2024 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/config/YAMLConfig.java b/example/src/main/java/eu/webeid/example/config/YAMLConfig.java
index e8fecd3..35905f0 100644
--- a/example/src/main/java/eu/webeid/example/config/YAMLConfig.java
+++ b/example/src/main/java/eu/webeid/example/config/YAMLConfig.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2023 Estonian Information System Authority
+ * Copyright (c) 2020-2024 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/security/AuthTokenDTOAuthenticationProvider.java b/example/src/main/java/eu/webeid/example/security/AuthTokenDTOAuthenticationProvider.java
index 95ea1ee..03e535f 100644
--- a/example/src/main/java/eu/webeid/example/security/AuthTokenDTOAuthenticationProvider.java
+++ b/example/src/main/java/eu/webeid/example/security/AuthTokenDTOAuthenticationProvider.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2023 Estonian Information System Authority
+ * Copyright (c) 2020-2024 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java b/example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java
index 16bf0c4..ac43205 100644
--- a/example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java
+++ b/example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2023 Estonian Information System Authority
+ * Copyright (c) 2020-2024 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java b/example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java
index 1726ff1..4a67020 100644
--- a/example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java
+++ b/example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2023 Estonian Information System Authority
+ * Copyright (c) 2020-2024 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationFailureHandler.java b/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationFailureHandler.java
index d7c308e..8580bca 100644
--- a/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationFailureHandler.java
+++ b/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationFailureHandler.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2023 Estonian Information System Authority
+ * Copyright (c) 2020-2024 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationSuccessHandler.java b/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationSuccessHandler.java
index e1e0db0..19d0410 100644
--- a/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationSuccessHandler.java
+++ b/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationSuccessHandler.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2023 Estonian Information System Authority
+ * Copyright (c) 2020-2024 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/security/dto/AuthTokenDTO.java b/example/src/main/java/eu/webeid/example/security/dto/AuthTokenDTO.java
index c0f4cd2..9321c4c 100644
--- a/example/src/main/java/eu/webeid/example/security/dto/AuthTokenDTO.java
+++ b/example/src/main/java/eu/webeid/example/security/dto/AuthTokenDTO.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2023 Estonian Information System Authority
+ * Copyright (c) 2020-2024 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/service/SigningService.java b/example/src/main/java/eu/webeid/example/service/SigningService.java
index 1307bd0..a7d71b4 100644
--- a/example/src/main/java/eu/webeid/example/service/SigningService.java
+++ b/example/src/main/java/eu/webeid/example/service/SigningService.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2023 Estonian Information System Authority
+ * Copyright (c) 2020-2024 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/service/dto/CertificateDTO.java b/example/src/main/java/eu/webeid/example/service/dto/CertificateDTO.java
index 4148165..6050c85 100644
--- a/example/src/main/java/eu/webeid/example/service/dto/CertificateDTO.java
+++ b/example/src/main/java/eu/webeid/example/service/dto/CertificateDTO.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2023 Estonian Information System Authority
+ * Copyright (c) 2020-2024 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/service/dto/ChallengeDTO.java b/example/src/main/java/eu/webeid/example/service/dto/ChallengeDTO.java
index a882db2..dd95d42 100644
--- a/example/src/main/java/eu/webeid/example/service/dto/ChallengeDTO.java
+++ b/example/src/main/java/eu/webeid/example/service/dto/ChallengeDTO.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2023 Estonian Information System Authority
+ * Copyright (c) 2020-2024 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/service/dto/DigestDTO.java b/example/src/main/java/eu/webeid/example/service/dto/DigestDTO.java
index 483a71b..4e56d36 100644
--- a/example/src/main/java/eu/webeid/example/service/dto/DigestDTO.java
+++ b/example/src/main/java/eu/webeid/example/service/dto/DigestDTO.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2023 Estonian Information System Authority
+ * Copyright (c) 2020-2024 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/service/dto/FileDTO.java b/example/src/main/java/eu/webeid/example/service/dto/FileDTO.java
index af2e24e..dca653b 100644
--- a/example/src/main/java/eu/webeid/example/service/dto/FileDTO.java
+++ b/example/src/main/java/eu/webeid/example/service/dto/FileDTO.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2023 Estonian Information System Authority
+ * Copyright (c) 2020-2024 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/service/dto/SignatureAlgorithmDTO.java b/example/src/main/java/eu/webeid/example/service/dto/SignatureAlgorithmDTO.java
index 94d1b8c..bef5ba4 100644
--- a/example/src/main/java/eu/webeid/example/service/dto/SignatureAlgorithmDTO.java
+++ b/example/src/main/java/eu/webeid/example/service/dto/SignatureAlgorithmDTO.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2023 Estonian Information System Authority
+ * Copyright (c) 2020-2024 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/service/dto/SignatureDTO.java b/example/src/main/java/eu/webeid/example/service/dto/SignatureDTO.java
index 5a416cc..68742fc 100644
--- a/example/src/main/java/eu/webeid/example/service/dto/SignatureDTO.java
+++ b/example/src/main/java/eu/webeid/example/service/dto/SignatureDTO.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2023 Estonian Information System Authority
+ * Copyright (c) 2020-2024 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/web/WelcomeController.java b/example/src/main/java/eu/webeid/example/web/WelcomeController.java
index dcd09da..deb7ab8 100644
--- a/example/src/main/java/eu/webeid/example/web/WelcomeController.java
+++ b/example/src/main/java/eu/webeid/example/web/WelcomeController.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2023 Estonian Information System Authority
+ * Copyright (c) 2020-2024 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/web/rest/ChallengeController.java b/example/src/main/java/eu/webeid/example/web/rest/ChallengeController.java
index a81aa68..9640fe6 100644
--- a/example/src/main/java/eu/webeid/example/web/rest/ChallengeController.java
+++ b/example/src/main/java/eu/webeid/example/web/rest/ChallengeController.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2023 Estonian Information System Authority
+ * Copyright (c) 2020-2024 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/web/rest/SigningController.java b/example/src/main/java/eu/webeid/example/web/rest/SigningController.java
index abdda22..14ecfae 100644
--- a/example/src/main/java/eu/webeid/example/web/rest/SigningController.java
+++ b/example/src/main/java/eu/webeid/example/web/rest/SigningController.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2023 Estonian Information System Authority
+ * Copyright (c) 2020-2024 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/resources/static/js/errors.js b/example/src/main/resources/static/js/errors.js
index 1665e6d..95220bb 100644
--- a/example/src/main/resources/static/js/errors.js
+++ b/example/src/main/resources/static/js/errors.js
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2023 Estonian Information System Authority
+ * Copyright (c) 2020-2024 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/test/java/eu/webeid/example/AuthenticationRestControllerTest.java b/example/src/test/java/eu/webeid/example/AuthenticationRestControllerTest.java
index fcd4214..aa6f5df 100644
--- a/example/src/test/java/eu/webeid/example/AuthenticationRestControllerTest.java
+++ b/example/src/test/java/eu/webeid/example/AuthenticationRestControllerTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2023 Estonian Information System Authority
+ * Copyright (c) 2020-2024 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/test/java/eu/webeid/example/WebApplicationTest.java b/example/src/test/java/eu/webeid/example/WebApplicationTest.java
index 643734e..4d95f43 100644
--- a/example/src/test/java/eu/webeid/example/WebApplicationTest.java
+++ b/example/src/test/java/eu/webeid/example/WebApplicationTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2023 Estonian Information System Authority
+ * Copyright (c) 2020-2024 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/test/java/eu/webeid/example/testutil/Dates.java b/example/src/test/java/eu/webeid/example/testutil/Dates.java
index 9ab1260..c44118d 100644
--- a/example/src/test/java/eu/webeid/example/testutil/Dates.java
+++ b/example/src/test/java/eu/webeid/example/testutil/Dates.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2023 Estonian Information System Authority
+ * Copyright (c) 2020-2024 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/test/java/eu/webeid/example/testutil/HttpHelper.java b/example/src/test/java/eu/webeid/example/testutil/HttpHelper.java
index 03ae120..fec2621 100644
--- a/example/src/test/java/eu/webeid/example/testutil/HttpHelper.java
+++ b/example/src/test/java/eu/webeid/example/testutil/HttpHelper.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2023 Estonian Information System Authority
+ * Copyright (c) 2020-2024 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java b/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java
index e6de802..ad048fd 100644
--- a/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java
+++ b/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2023 Estonian Information System Authority
+ * Copyright (c) 2020-2024 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal

From 311decec92d05319cd388ab54b6eed69e1515e63 Mon Sep 17 00:00:00 2001
From: Kristel Merilain <kristel.merilain@ria.ee>
Date: Thu, 11 Apr 2024 09:23:36 +0300
Subject: [PATCH 093/116] Remove lunar support (#46)

---
 .../resources/static/scripts/download-install-web-eid.sh     | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/example/src/main/resources/static/scripts/download-install-web-eid.sh b/example/src/main/resources/static/scripts/download-install-web-eid.sh
index cba4fc1..c9b3fe9 100755
--- a/example/src/main/resources/static/scripts/download-install-web-eid.sh
+++ b/example/src/main/resources/static/scripts/download-install-web-eid.sh
@@ -61,7 +61,6 @@ test_sudo
 # version   name    LTS   supported until
 # 20.04     focal   LTS   2025-04
 # 22.04     jammy   LTS   2027-04
-# 23.04     lunar   -     2024-01
 # 23.10     mantic   -     2024-07
 LATEST_SUPPORTED_UBUNTU_CODENAME='mantic'
 LATEST_SUPPORTED_UBUNTU_VERSION='23.10'
@@ -96,10 +95,10 @@ case $distro in
          *) ;;
       esac
       case $codename in
-        utopic|vivid|wily|trusty|artful|cosmic|disco|xenial|eoan|groovy|hirsute|impish|bionic|kinetic)
+        utopic|vivid|wily|trusty|artful|cosmic|disco|xenial|eoan|groovy|hirsute|impish|bionic|kinetic|lunar)
           make_fail "Ubuntu $codename is not officially supported"
           ;;
-        focal|jammy|lunar|mantic)
+        focal|jammy|mantic)
           make_install $release
           ;;
         *)

From 4a7eeafbcc0618563e87e877c3eab5f50e6cbb90 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Fri, 26 Apr 2024 20:40:52 +0300
Subject: [PATCH 094/116] Add v2.5.0 release

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 example/src/main/resources/templates/index.html | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

diff --git a/example/src/main/resources/templates/index.html b/example/src/main/resources/templates/index.html
index 429b6b3..6a86740 100644
--- a/example/src/main/resources/templates/index.html
+++ b/example/src/main/resources/templates/index.html
@@ -59,23 +59,18 @@ <h3><a id="usage"></a>Usage</h3>
                             script from the console with<br>
                             <code>wget -O - https://<span th:text="${#httpServletRequest.serverName}"/>/scripts/download-install-web-eid.sh
                                 | bash</code><br>
-                            <b>Note that Firefox is installed with Snap in Ubuntu 22.04 or later by default and as the
-                                Snap sandbox does not allow communication with the external native messaging host, Web
-                                eID will not work.</b>
-                            Install Firefox via the Debian package instead of Snap if you want to use Web eID with
-                            Firefox in Ubuntu 22.04+. Instructions how to do that are available <a
-                                    href="https://www.omgubuntu.co.uk/2022/04/how-to-install-firefox-deb-apt-ubuntu-22-04">here</a>.
+                            Note: as of the 2.5 version, Web eID supports Firefox installed via Snap.
                         </li>
-                        <li>on <b>macOS</b> 11 or later, for Firefox and Chrome from <a
-                                href="https://installer.id.ee/media/web-eid/web-eid_2.4.0.639.dmg">here</a>,
+                        <li>on <b>macOS</b> 12 or later, for Firefox and Chrome from <a
+                                href="https://installer.id.ee/media/web-eid/web-eid_2.5.0.642.dmg">here</a>,
                         </li>
-                        <li>on <b>macOS</b> 11 or later, for Safari, install the extension from <a
+                        <li>on <b>macOS</b> 12 or later, for Safari, install the extension from <a
                                 href="https://apps.apple.com/ee/app/web-eid/id1576665083?mt=12">App Store</a>,
                         </li>
                         <li>on <b>Windows</b> 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server
                             2022,
                             for Firefox, Chrome and Edge from <a
-                                    href="https://installer.id.ee/media/web-eid/web-eid_2.4.0.639.x64.exe">here</a>.
+                                    href="https://installer.id.ee/media/web-eid/web-eid_2.5.0.646.x64.exe">here</a>.
                         </li>
                     </ul>
                 </li>

From bfc26734b66f763781bc9636ca9c8b05b35fcc4d Mon Sep 17 00:00:00 2001
From: Lauris Kaplinski <lauris@raulwalter.com>
Date: Wed, 3 Apr 2024 19:17:37 +0300
Subject: [PATCH 095/116] Upgrade to Spring Boot 3/Spring Security 6

Signed-off-by: Lauris Kaplinski <lauris@raulwalter.com>
---
 example/.github/workflows/maven-build.yml     | 12 ++---
 example/README.md                             |  2 +-
 example/pom.xml                               |  6 +--
 .../config/ApplicationConfiguration.java      | 53 +++++++++----------
 .../SessionBackedChallengeNonceStore.java     |  2 +-
 .../config/ValidationConfiguration.java       |  2 +-
 .../WebEidAjaxLoginProcessingFilter.java      | 19 +++++--
 .../AjaxAuthenticationFailureHandler.java     |  6 +--
 .../AjaxAuthenticationSuccessHandler.java     |  4 +-
 .../example/service/SigningService.java       |  4 +-
 .../webeid/example/web/IndexController.java   | 37 +++++++++++++
 .../webeid/example/web/WelcomeController.java |  2 +-
 .../src/main/resources/templates/index.html   |  2 +-
 .../eu/webeid/example/WebApplicationTest.java |  2 +-
 .../WebEidAjaxLoginProcessingFilterTest.java  |  8 +--
 .../webeid/example/testutil/ObjectMother.java |  2 +-
 16 files changed, 107 insertions(+), 56 deletions(-)
 create mode 100644 example/src/main/java/eu/webeid/example/web/IndexController.java

diff --git a/example/.github/workflows/maven-build.yml b/example/.github/workflows/maven-build.yml
index 7b3120c..14becab 100644
--- a/example/.github/workflows/maven-build.yml
+++ b/example/.github/workflows/maven-build.yml
@@ -7,19 +7,19 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
-      - uses: actions/setup-java@v3
+      - uses: actions/setup-java@v4
         with:
           distribution: zulu
-          java-version: 11
+          java-version: 17
 
       - name: Cache Maven packages
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ~/.m2
-          key: ${{ runner.os }}-m2-v11-${{ secrets.CACHE_VERSION }}-${{ hashFiles('**/pom.xml') }}
-          restore-keys: ${{ runner.os }}-m2-v11-${{ secrets.CACHE_VERSION }}
+          key: ${{ runner.os }}-m2-v17-${{ secrets.CACHE_VERSION }}-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ${{ runner.os }}-m2-v17-${{ secrets.CACHE_VERSION }}
 
       - name: Build
         run: mvn --batch-mode compile
diff --git a/example/README.md b/example/README.md
index 55049e7..008357d 100644
--- a/example/README.md
+++ b/example/README.md
@@ -49,7 +49,7 @@ You can specify the profile as a command-line argument to the Maven wrapper comm
 
 ### 5. Run the application
 
-Spring Boot web applications can be run from the command-line. You need to have the Java Development Kit 8 installed for building the application package and running the application.
+Spring Boot web applications can be run from the command-line. You need to have the Java Development Kit 17 installed for building the application package and running the application.
 
 Build and run the application with the following command in a terminal window:
 
diff --git a/example/pom.xml b/example/pom.xml
index 3568a9c..49761fe 100644
--- a/example/pom.xml
+++ b/example/pom.xml
@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>2.7.15</version>
+		<version>3.1.9</version>
 		<relativePath/> <!-- lookup parent from repository -->
 	</parent>
 	<groupId>org.webeid.example</groupId>
@@ -17,10 +17,10 @@
 	</description>
 
 	<properties>
-		<java.version>11</java.version>
+		<java.version>17</java.version>
 		<maven-surefire-plugin.version>2.22.1</maven-surefire-plugin.version>
 		<webeid.version>3.0.0</webeid.version>
-		<digidoc4j.version>5.2.0</digidoc4j.version>
+		<digidoc4j.version>5.3.0</digidoc4j.version>
 		<jmockit.version>1.44</jmockit.version>
 	</properties>
 
diff --git a/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java b/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java
index 9fba315..5e974e4 100644
--- a/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java
+++ b/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java
@@ -24,53 +24,52 @@
 
 import eu.webeid.example.security.AuthTokenDTOAuthenticationProvider;
 import eu.webeid.example.security.WebEidAjaxLoginProcessingFilter;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
-import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler;
+import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
+import org.springframework.security.web.context.SecurityContextRepository;
 import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
 @Configuration
 @EnableWebSecurity
-@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true)
-public class ApplicationConfiguration extends WebSecurityConfigurerAdapter implements WebMvcConfigurer {
+@EnableMethodSecurity(securedEnabled = true, jsr250Enabled = true)
+public class ApplicationConfiguration implements WebMvcConfigurer {
     final AuthTokenDTOAuthenticationProvider authTokenDTOAuthenticationProvider;
+    final SecurityContextRepository securityContextRepository;
 
     public ApplicationConfiguration(AuthTokenDTOAuthenticationProvider authTokenDTOAuthenticationProvider) {
         this.authTokenDTOAuthenticationProvider = authTokenDTOAuthenticationProvider;
+        this.securityContextRepository = new HttpSessionSecurityContextRepository();
     }
 
-    @Override
-    protected void configure(AuthenticationManagerBuilder authenticationManagerBuilder) {
-        authenticationManagerBuilder.authenticationProvider(authTokenDTOAuthenticationProvider);
+    @Bean
+    public AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) throws Exception {
+        return authenticationConfiguration.getAuthenticationManager();
     }
 
-    @Override
-    protected void configure(HttpSecurity http) throws Exception {
-        // @formatter:off
-        http
-            .addFilterBefore(
-                    new WebEidAjaxLoginProcessingFilter("/auth/login", authenticationManager()),
-                    UsernamePasswordAuthenticationFilter.class)
-            .authorizeRequests()
-            .antMatchers("/auth/challenge", "/auth/login", "/")
-            .permitAll()
-            .antMatchers("/welcome")
-            .authenticated()
-         .and()
-            .logout()
-            .logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler())
-         .and()
-            .headers()
-                .frameOptions().sameOrigin();
-        // @formatter:on
+    @Bean
+    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+        AuthenticationManager manager = authenticationManager(http.getSharedObject(AuthenticationConfiguration.class));
+
+        return http
+                .authenticationProvider(authTokenDTOAuthenticationProvider)
+                .addFilterBefore(new WebEidAjaxLoginProcessingFilter("/auth/login", manager, securityContextRepository),
+                        UsernamePasswordAuthenticationFilter.class)
+                .logout(logout -> logout.logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()))
+                .headers(headers -> headers.frameOptions(options -> options.sameOrigin()))
+                .build();
     }
 
+    @Override
     public void addViewControllers(ViewControllerRegistry registry) {
         registry.addViewController("/").setViewName("index");
         registry.addViewController("/welcome").setViewName("welcome");
diff --git a/example/src/main/java/eu/webeid/example/config/SessionBackedChallengeNonceStore.java b/example/src/main/java/eu/webeid/example/config/SessionBackedChallengeNonceStore.java
index c94a324..cb4654d 100644
--- a/example/src/main/java/eu/webeid/example/config/SessionBackedChallengeNonceStore.java
+++ b/example/src/main/java/eu/webeid/example/config/SessionBackedChallengeNonceStore.java
@@ -26,7 +26,7 @@
 import eu.webeid.security.challenge.ChallengeNonce;
 import eu.webeid.security.challenge.ChallengeNonceStore;
 
-import javax.servlet.http.HttpSession;
+import jakarta.servlet.http.HttpSession;
 
 public class SessionBackedChallengeNonceStore implements ChallengeNonceStore {
 
diff --git a/example/src/main/java/eu/webeid/example/config/ValidationConfiguration.java b/example/src/main/java/eu/webeid/example/config/ValidationConfiguration.java
index 83f0f47..dbe21ee 100644
--- a/example/src/main/java/eu/webeid/example/config/ValidationConfiguration.java
+++ b/example/src/main/java/eu/webeid/example/config/ValidationConfiguration.java
@@ -37,7 +37,7 @@
 import eu.webeid.security.validator.AuthTokenValidator;
 import eu.webeid.security.validator.AuthTokenValidatorBuilder;
 
-import javax.servlet.http.HttpSession;
+import jakarta.servlet.http.HttpSession;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.URI;
diff --git a/example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java b/example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java
index ac43205..eb690d8 100644
--- a/example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java
+++ b/example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java
@@ -24,12 +24,14 @@
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import java.io.IOException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 
 import eu.webeid.example.security.ajax.AjaxAuthenticationFailureHandler;
 import eu.webeid.example.security.ajax.AjaxAuthenticationSuccessHandler;
 import eu.webeid.example.security.dto.AuthTokenDTO;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.http.HttpMethod;
@@ -37,22 +39,27 @@
 import org.springframework.security.authentication.AuthenticationServiceException;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
 import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
+import org.springframework.security.web.context.SecurityContextRepository;
 
 public class WebEidAjaxLoginProcessingFilter extends AbstractAuthenticationProcessingFilter {
     private static final Logger LOG = LoggerFactory.getLogger(WebEidAjaxLoginProcessingFilter.class);
+    private final SecurityContextRepository securityContextRepository;
 
     public WebEidAjaxLoginProcessingFilter(
         String defaultFilterProcessesUrl,
-        AuthenticationManager authenticationManager
+        AuthenticationManager authenticationManager,
+        SecurityContextRepository securityContextRepository
     ) {
         super(defaultFilterProcessesUrl);
         this.setAuthenticationManager(authenticationManager);
         this.setAuthenticationSuccessHandler(new AjaxAuthenticationSuccessHandler());
         this.setAuthenticationFailureHandler(new AjaxAuthenticationFailureHandler());
         setSessionAuthenticationStrategy(new SessionFixationProtectionStrategy());
+        this.securityContextRepository = securityContextRepository;
     }
 
     @Override
@@ -76,4 +83,10 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
         LOG.info("attemptAuthentication(): Calling authentication manager");
         return getAuthenticationManager().authenticate(token);
     }
+
+    @Override
+    protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException {
+        super.successfulAuthentication(request, response, chain, authResult); // Generated from nbfs://nbhost/SystemFileSystem/Templates/Classes/Code/OverriddenMethodBody
+        securityContextRepository.saveContext(SecurityContextHolder.getContext(), request, response);
+    }
 }
diff --git a/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationFailureHandler.java b/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationFailureHandler.java
index 8580bca..647698f 100644
--- a/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationFailureHandler.java
+++ b/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationFailureHandler.java
@@ -27,9 +27,9 @@
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpSession;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import jakarta.servlet.http.HttpSession;
 import java.io.IOException;
 
 public class AjaxAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {
diff --git a/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationSuccessHandler.java b/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationSuccessHandler.java
index 19d0410..b7b70b9 100644
--- a/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationSuccessHandler.java
+++ b/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationSuccessHandler.java
@@ -29,8 +29,8 @@
 import java.util.Collection;
 import java.util.List;
 import java.util.stream.Collectors;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.security.core.Authentication;
diff --git a/example/src/main/java/eu/webeid/example/service/SigningService.java b/example/src/main/java/eu/webeid/example/service/SigningService.java
index a7d71b4..69adc1c 100644
--- a/example/src/main/java/eu/webeid/example/service/SigningService.java
+++ b/example/src/main/java/eu/webeid/example/service/SigningService.java
@@ -46,8 +46,8 @@
 import org.springframework.core.io.ByteArrayResource;
 import org.springframework.stereotype.Service;
 
-import javax.servlet.http.HttpSession;
-import javax.xml.bind.DatatypeConverter;
+import jakarta.servlet.http.HttpSession;
+import jakarta.xml.bind.DatatypeConverter;
 import java.io.IOException;
 import java.io.InputStream;
 import java.security.NoSuchAlgorithmException;
diff --git a/example/src/main/java/eu/webeid/example/web/IndexController.java b/example/src/main/java/eu/webeid/example/web/IndexController.java
new file mode 100644
index 0000000..e464a50
--- /dev/null
+++ b/example/src/main/java/eu/webeid/example/web/IndexController.java
@@ -0,0 +1,37 @@
+/*
+ * Copyright (c) 2020-2024 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+package eu.webeid.example.web;
+
+import jakarta.servlet.http.HttpServletRequest;
+import org.springframework.stereotype.Controller;
+import org.springframework.ui.Model;
+import org.springframework.web.bind.annotation.GetMapping;
+
+@Controller
+public class IndexController {
+    @GetMapping("/")
+    public String welcome(Model model, HttpServletRequest request) {
+        model.addAttribute("serverName", request.getServerName());
+        return "index";
+    }
+}
diff --git a/example/src/main/java/eu/webeid/example/web/WelcomeController.java b/example/src/main/java/eu/webeid/example/web/WelcomeController.java
index deb7ab8..e61fcc2 100644
--- a/example/src/main/java/eu/webeid/example/web/WelcomeController.java
+++ b/example/src/main/java/eu/webeid/example/web/WelcomeController.java
@@ -29,7 +29,7 @@
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.GetMapping;
 
-import javax.validation.constraints.NotNull;
+import jakarta.validation.constraints.NotNull;
 import java.security.Principal;
 
 import static eu.webeid.example.security.AuthTokenDTOAuthenticationProvider.ROLE_USER;
diff --git a/example/src/main/resources/templates/index.html b/example/src/main/resources/templates/index.html
index 6a86740..5836d2e 100644
--- a/example/src/main/resources/templates/index.html
+++ b/example/src/main/resources/templates/index.html
@@ -57,7 +57,7 @@ <h3><a id="usage"></a>Usage</h3>
                         <li>on <b>Ubuntu Linux</b>, for Firefox and Chrome, download and execute the<br>
                             <a href="/scripts/download-install-web-eid.sh"><code>download-install-web-eid.sh</code></a>
                             script from the console with<br>
-                            <code>wget -O - https://<span th:text="${#httpServletRequest.serverName}"/>/scripts/download-install-web-eid.sh
+                            <code>wget -O - https://<span th:text="${serverName}"/>/scripts/download-install-web-eid.sh
                                 | bash</code><br>
                             Note: as of the 2.5 version, Web eID supports Firefox installed via Snap.
                         </li>
diff --git a/example/src/test/java/eu/webeid/example/WebApplicationTest.java b/example/src/test/java/eu/webeid/example/WebApplicationTest.java
index 4d95f43..d6e343b 100644
--- a/example/src/test/java/eu/webeid/example/WebApplicationTest.java
+++ b/example/src/test/java/eu/webeid/example/WebApplicationTest.java
@@ -59,7 +59,7 @@ public class WebApplicationTest {
     private WebApplicationContext context;
 
     @Autowired
-    private javax.servlet.Filter[] springSecurityFilterChain;
+    private jakarta.servlet.Filter[] springSecurityFilterChain;
 
     private static DefaultMockMvcBuilder mvcBuilder;
 
diff --git a/example/src/test/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilterTest.java b/example/src/test/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilterTest.java
index 0640a4d..adbaff5 100644
--- a/example/src/test/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilterTest.java
+++ b/example/src/test/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilterTest.java
@@ -4,14 +4,15 @@
 import org.springframework.http.HttpMethod;
 import org.springframework.security.authentication.AuthenticationManager;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 import java.io.BufferedReader;
 import java.io.StringReader;
 
 import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
+import org.springframework.security.web.context.SecurityContextRepository;
 
 class WebEidAjaxLoginProcessingFilterTest {
 
@@ -31,9 +32,10 @@ void testAttemptAuthentication() throws Exception {
         when(request.getReader()).thenReturn(new BufferedReader(new StringReader(AUTH_TOKEN)));
 
         final AuthenticationManager authenticationManager = mock(AuthenticationManager.class);
+        final SecurityContextRepository securityContextRepository = mock(SecurityContextRepository.class);
 
         assertDoesNotThrow(() ->
-                new WebEidAjaxLoginProcessingFilter("/auth/login", authenticationManager)
+                new WebEidAjaxLoginProcessingFilter("/auth/login", authenticationManager, securityContextRepository)
                         .attemptAuthentication(request, response));
     }
 }
\ No newline at end of file
diff --git a/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java b/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java
index ad048fd..f6103d5 100644
--- a/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java
+++ b/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java
@@ -33,7 +33,7 @@
 import eu.webeid.example.service.dto.CertificateDTO;
 import eu.webeid.example.service.dto.SignatureDTO;
 
-import javax.xml.bind.DatatypeConverter;
+import jakarta.xml.bind.DatatypeConverter;
 import java.io.FileInputStream;
 import java.security.GeneralSecurityException;
 import java.security.KeyStore;

From 05e62694c3f65c151d3eef5e5e3368e1541c3807 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Fri, 5 Apr 2024 17:37:10 +0300
Subject: [PATCH 096/116] Clean up pom.xml

WE2-860

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 example/pom.xml                               | 32 ++++---------------
 .../webeid/example/web/WelcomeController.java |  5 +--
 2 files changed, 9 insertions(+), 28 deletions(-)

diff --git a/example/pom.xml b/example/pom.xml
index 49761fe..e35b076 100644
--- a/example/pom.xml
+++ b/example/pom.xml
@@ -5,21 +5,21 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>3.1.9</version>
+		<version>3.2.4</version>
 		<relativePath/> <!-- lookup parent from repository -->
 	</parent>
-	<groupId>org.webeid.example</groupId>
+	<groupId>eu.webeid.example</groupId>
 	<artifactId>web-eid-springboot-example</artifactId>
 	<version>3.0.0-SNAPSHOT</version>
 	<name>web-eid-springboot-example</name>
-	<description>Example Spring Boot project that demonstrates how to use Web eID for authentication and digital
+	<description>Example Spring Boot application that demonstrates how to use Web eID for authentication and digital
 		signing
 	</description>
 
 	<properties>
 		<java.version>17</java.version>
-		<maven-surefire-plugin.version>2.22.1</maven-surefire-plugin.version>
-		<webeid.version>3.0.0</webeid.version>
+		<maven-surefire-plugin.version>3.2.5</maven-surefire-plugin.version>
+		<webeid.version>3.0.1</webeid.version>
 		<digidoc4j.version>5.3.0</digidoc4j.version>
 		<jmockit.version>1.44</jmockit.version>
 	</properties>
@@ -31,20 +31,12 @@
 		</dependency>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
-			<artifactId>spring-boot-starter-validation</artifactId>
+			<artifactId>spring-boot-starter-security</artifactId>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-thymeleaf</artifactId>
 		</dependency>
-		<dependency>
-			<groupId>org.springframework.boot</groupId>
-			<artifactId>spring-boot-starter-security</artifactId>
-		</dependency>
-		<dependency>
-			<groupId>org.springframework.security</groupId>
-			<artifactId>spring-security-config</artifactId>
-		</dependency>
 
 		<dependency>
 			<groupId>org.digidoc4j</groupId>
@@ -57,22 +49,10 @@
 			<version>${webeid.version}</version>
 		</dependency>
 
-		<dependency>
-			<groupId>org.springframework.boot</groupId>
-			<artifactId>spring-boot-devtools</artifactId>
-			<optional>true</optional>
-		</dependency>
-
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-test</artifactId>
 			<scope>test</scope>
-			<exclusions>
-				<exclusion>
-					<groupId>org.junit.vintage</groupId>
-					<artifactId>junit-vintage-engine</artifactId>
-				</exclusion>
-			</exclusions>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework.security</groupId>
diff --git a/example/src/main/java/eu/webeid/example/web/WelcomeController.java b/example/src/main/java/eu/webeid/example/web/WelcomeController.java
index e61fcc2..2ebb763 100644
--- a/example/src/main/java/eu/webeid/example/web/WelcomeController.java
+++ b/example/src/main/java/eu/webeid/example/web/WelcomeController.java
@@ -29,8 +29,8 @@
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.GetMapping;
 
-import jakarta.validation.constraints.NotNull;
 import java.security.Principal;
+import java.util.Objects;
 
 import static eu.webeid.example.security.AuthTokenDTOAuthenticationProvider.ROLE_USER;
 
@@ -40,7 +40,8 @@ public class WelcomeController {
 
     @PreAuthorize("hasAuthority('" + ROLE_USER + "')")
     @GetMapping("welcome")
-    public String welcome(Model model, @NotNull Principal principal) {
+    public String welcome(Model model, Principal principal) {
+        Objects.requireNonNull(principal);
         LOG.info("Showing welcome page, logged in as principal={}", principal.getName());
         model.addAttribute("principalName", principal.getName());
         return "welcome";

From bfe9739e8cb36546eff916ae55303b203c5f46ed Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Fri, 5 Apr 2024 21:12:45 +0300
Subject: [PATCH 097/116] Make FileDTO Serializable, enable Thymeleaf cache in
 production, use Jackson ObjectWriter and other minor cleanup

WE2-860

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 .../config/ApplicationConfiguration.java      |  3 +-
 .../AuthTokenDTOAuthenticationProvider.java   | 22 +++++++--------
 .../WebEidAjaxLoginProcessingFilter.java      | 23 +++++++--------
 .../AjaxAuthenticationSuccessHandler.java     | 28 ++++++++-----------
 .../example/service/SigningService.java       |  2 +-
 .../webeid/example/service/dto/FileDTO.java   |  3 +-
 .../example/web/rest/ChallengeController.java |  2 +-
 .../src/main/resources/application-prod.yaml  |  3 ++
 .../eu/webeid/example/WebApplicationTest.java |  2 +-
 9 files changed, 44 insertions(+), 44 deletions(-)

diff --git a/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java b/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java
index 5e974e4..cdbe016 100644
--- a/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java
+++ b/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java
@@ -31,6 +31,7 @@
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler;
@@ -65,7 +66,7 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
                 .addFilterBefore(new WebEidAjaxLoginProcessingFilter("/auth/login", manager, securityContextRepository),
                         UsernamePasswordAuthenticationFilter.class)
                 .logout(logout -> logout.logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()))
-                .headers(headers -> headers.frameOptions(options -> options.sameOrigin()))
+                .headers(headers -> headers.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin))
                 .build();
     }
 
diff --git a/example/src/main/java/eu/webeid/example/security/AuthTokenDTOAuthenticationProvider.java b/example/src/main/java/eu/webeid/example/security/AuthTokenDTOAuthenticationProvider.java
index 03e535f..9965ff3 100644
--- a/example/src/main/java/eu/webeid/example/security/AuthTokenDTOAuthenticationProvider.java
+++ b/example/src/main/java/eu/webeid/example/security/AuthTokenDTOAuthenticationProvider.java
@@ -23,9 +23,12 @@
 package eu.webeid.example.security;
 
 import eu.webeid.example.security.dto.AuthTokenDTO;
+import eu.webeid.security.authtoken.WebEidAuthToken;
+import eu.webeid.security.challenge.ChallengeNonceStore;
+import eu.webeid.security.exceptions.AuthTokenException;
+import eu.webeid.security.validator.AuthTokenValidator;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.AuthenticationServiceException;
 import org.springframework.security.core.Authentication;
@@ -34,15 +37,9 @@
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
 import org.springframework.stereotype.Component;
-import eu.webeid.security.authtoken.WebEidAuthToken;
-import eu.webeid.security.challenge.ChallengeNonceStore;
-import eu.webeid.security.exceptions.AuthTokenException;
-import eu.webeid.security.validator.AuthTokenValidator;
 
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 
@@ -56,10 +53,13 @@ public class AuthTokenDTOAuthenticationProvider implements AuthenticationProvide
 
     private static final Logger LOG = LoggerFactory.getLogger(AuthTokenDTOAuthenticationProvider.class);
 
-    @Autowired
-    private AuthTokenValidator tokenValidator;
-    @Autowired
-    private ChallengeNonceStore challengeNonceStore;
+    private final AuthTokenValidator tokenValidator;
+    private final ChallengeNonceStore challengeNonceStore;
+
+    public AuthTokenDTOAuthenticationProvider(AuthTokenValidator tokenValidator, ChallengeNonceStore challengeNonceStore) {
+        this.tokenValidator = tokenValidator;
+        this.challengeNonceStore = challengeNonceStore;
+    }
 
     @Override
     public Authentication authenticate(Authentication auth) throws AuthenticationException {
diff --git a/example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java b/example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java
index eb690d8..2b4f0cf 100644
--- a/example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java
+++ b/example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java
@@ -23,15 +23,14 @@
 package eu.webeid.example.security;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
-import java.io.IOException;
-import jakarta.servlet.http.HttpServletRequest;
-import jakarta.servlet.http.HttpServletResponse;
-
+import com.fasterxml.jackson.databind.ObjectReader;
 import eu.webeid.example.security.ajax.AjaxAuthenticationFailureHandler;
 import eu.webeid.example.security.ajax.AjaxAuthenticationSuccessHandler;
 import eu.webeid.example.security.dto.AuthTokenDTO;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.http.HttpMethod;
@@ -45,14 +44,17 @@
 import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
 import org.springframework.security.web.context.SecurityContextRepository;
 
+import java.io.IOException;
+
 public class WebEidAjaxLoginProcessingFilter extends AbstractAuthenticationProcessingFilter {
     private static final Logger LOG = LoggerFactory.getLogger(WebEidAjaxLoginProcessingFilter.class);
+    private final ObjectReader OBJECT_READER = new ObjectMapper().readerFor(AuthTokenDTO.class);
     private final SecurityContextRepository securityContextRepository;
 
     public WebEidAjaxLoginProcessingFilter(
-        String defaultFilterProcessesUrl,
-        AuthenticationManager authenticationManager,
-        SecurityContextRepository securityContextRepository
+            String defaultFilterProcessesUrl,
+            AuthenticationManager authenticationManager,
+            SecurityContextRepository securityContextRepository
     ) {
         super(defaultFilterProcessesUrl);
         this.setAuthenticationManager(authenticationManager);
@@ -64,7 +66,7 @@ public WebEidAjaxLoginProcessingFilter(
 
     @Override
     public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
-        throws AuthenticationException, IOException {
+            throws AuthenticationException, IOException {
         if (!HttpMethod.POST.name().equals(request.getMethod())) {
             LOG.warn("HttpMethod not supported: {}", request.getMethod());
             throw new AuthenticationServiceException("HttpMethod not supported: " + request.getMethod());
@@ -76,8 +78,7 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
         }
 
         LOG.info("attemptAuthentication(): Reading request body");
-        final ObjectMapper objectMapper = new ObjectMapper();
-        final AuthTokenDTO authTokenDTO = objectMapper.readValue(request.getReader(), AuthTokenDTO.class);
+        final AuthTokenDTO authTokenDTO = OBJECT_READER.readValue(request.getReader());
         LOG.info("attemptAuthentication(): Creating token");
         final PreAuthenticatedAuthenticationToken token = new PreAuthenticatedAuthenticationToken(null, authTokenDTO);
         LOG.info("attemptAuthentication(): Calling authentication manager");
@@ -86,7 +87,7 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
 
     @Override
     protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException {
-        super.successfulAuthentication(request, response, chain, authResult); // Generated from nbfs://nbhost/SystemFileSystem/Templates/Classes/Code/OverriddenMethodBody
+        super.successfulAuthentication(request, response, chain, authResult);
         securityContextRepository.saveContext(SecurityContextHolder.getContext(), request, response);
     }
 }
diff --git a/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationSuccessHandler.java b/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationSuccessHandler.java
index b7b70b9..b545422 100644
--- a/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationSuccessHandler.java
+++ b/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationSuccessHandler.java
@@ -25,19 +25,17 @@
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import java.io.IOException;
-import java.util.Collection;
-import java.util.List;
-import java.util.stream.Collectors;
+import com.fasterxml.jackson.databind.ObjectWriter;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler;
 import org.springframework.stereotype.Component;
 
+import java.io.IOException;
+
 /**
  * Write custom response on having user successfully authenticated.
  * <p>
@@ -50,11 +48,11 @@ public class AjaxAuthenticationSuccessHandler extends SimpleUrlAuthenticationSuc
 
     @Override
     public void onAuthenticationSuccess(
-        HttpServletRequest request,
-        HttpServletResponse response,
-        Authentication authentication
+            HttpServletRequest request,
+            HttpServletResponse response,
+            Authentication authentication
     )
-        throws IOException {
+            throws IOException {
         LOG.info("onAuthenticationSuccess(): {}", authentication);
 
         response.setStatus(HttpServletResponse.SC_OK);
@@ -64,23 +62,19 @@ public void onAuthenticationSuccess(
     }
 
     public static class AuthSuccessDTO {
-        private final ObjectMapper objectMapper = new ObjectMapper();
+        private static final ObjectWriter OBJECT_WRITER = new ObjectMapper().writerFor(AuthSuccessDTO.class);
 
         @JsonProperty("sub")
         private String sub;
 
         @JsonProperty("auth")
-        private List<String> auth;
+        private String auth;
 
         public static String asJson(Authentication authentication) throws JsonProcessingException {
             final AuthSuccessDTO dto = new AuthSuccessDTO();
             dto.sub = authentication.getName();
-            dto.auth = convertAuthorities(authentication.getAuthorities());
-            return dto.objectMapper.writeValueAsString(dto);
-        }
-
-        private static List<String> convertAuthorities(Collection<? extends GrantedAuthority> authorities) {
-            return authorities.stream().map(GrantedAuthority::toString).collect(Collectors.toList());
+            dto.auth = authentication.getAuthorities().toString();
+            return OBJECT_WRITER.writeValueAsString(dto);
         }
     }
 }
diff --git a/example/src/main/java/eu/webeid/example/service/SigningService.java b/example/src/main/java/eu/webeid/example/service/SigningService.java
index 69adc1c..b89835f 100644
--- a/example/src/main/java/eu/webeid/example/service/SigningService.java
+++ b/example/src/main/java/eu/webeid/example/service/SigningService.java
@@ -64,7 +64,7 @@ public class SigningService {
     private static final Logger LOG = LoggerFactory.getLogger(SigningService.class);
     private final Configuration signingConfiguration;
 
-    ObjectFactory<HttpSession> httpSessionFactory;
+    private final ObjectFactory<HttpSession> httpSessionFactory;
 
     public SigningService(ObjectFactory<HttpSession> httpSessionFactory, YAMLConfig yamlConfig) {
         this.httpSessionFactory = httpSessionFactory;
diff --git a/example/src/main/java/eu/webeid/example/service/dto/FileDTO.java b/example/src/main/java/eu/webeid/example/service/dto/FileDTO.java
index dca653b..3a65edc 100644
--- a/example/src/main/java/eu/webeid/example/service/dto/FileDTO.java
+++ b/example/src/main/java/eu/webeid/example/service/dto/FileDTO.java
@@ -27,12 +27,13 @@
 import org.springframework.web.multipart.MultipartFile;
 
 import java.io.IOException;
+import java.io.Serializable;
 import java.net.URI;
 import java.nio.file.Files;
 import java.nio.file.Paths;
 import java.util.Objects;
 
-public class FileDTO {
+public class FileDTO implements Serializable {
     private static final String EXAMPLE_FILENAME = "example-for-signing.txt";
 
     private final String name;
diff --git a/example/src/main/java/eu/webeid/example/web/rest/ChallengeController.java b/example/src/main/java/eu/webeid/example/web/rest/ChallengeController.java
index 9640fe6..ecc3ee4 100644
--- a/example/src/main/java/eu/webeid/example/web/rest/ChallengeController.java
+++ b/example/src/main/java/eu/webeid/example/web/rest/ChallengeController.java
@@ -23,10 +23,10 @@
 package eu.webeid.example.web.rest;
 
 import eu.webeid.example.service.dto.ChallengeDTO;
+import eu.webeid.security.challenge.ChallengeNonceGenerator;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
-import eu.webeid.security.challenge.ChallengeNonceGenerator;
 
 @RestController
 @RequestMapping("auth")
diff --git a/example/src/main/resources/application-prod.yaml b/example/src/main/resources/application-prod.yaml
index 709d314..3868f35 100644
--- a/example/src/main/resources/application-prod.yaml
+++ b/example/src/main/resources/application-prod.yaml
@@ -3,3 +3,6 @@ web-eid-auth-token:
     use-digidoc4j-prod-configuration: true
     local-origin: "https://web-eid.eu"
     truststore-password: "changeit"
+spring:
+  thymeleaf:
+    cache: true
diff --git a/example/src/test/java/eu/webeid/example/WebApplicationTest.java b/example/src/test/java/eu/webeid/example/WebApplicationTest.java
index d6e343b..e28e8fa 100644
--- a/example/src/test/java/eu/webeid/example/WebApplicationTest.java
+++ b/example/src/test/java/eu/webeid/example/WebApplicationTest.java
@@ -110,7 +110,7 @@ public void validateOcspResponse(XadesSignature xadesSignature) {
         MvcResult result = HttpHelper.login(mvcBuilder, session, ObjectMother.mockAuthToken());
         session = (MockHttpSession) result.getRequest().getSession();
         MockHttpServletResponse response = result.getResponse();
-        assertEquals("{\"sub\":\"JAAK-KRISTJAN JÕEORG\",\"auth\":[\"ROLE_USER\"]}", response.getContentAsString());
+        assertEquals("{\"sub\":\"JAAK-KRISTJAN JÕEORG\",\"auth\":\"[ROLE_USER]\"}", response.getContentAsString());
 
         /* Example how to test file upload.
         response = HttpHelper.upload(mvcBuilder, session, mockMultipartFile());

From e46a4626b196f6b13a47e2810351c6d2e7698de8 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Fri, 5 Apr 2024 21:13:55 +0300
Subject: [PATCH 098/116] Secure endpoints and services that require
 authentication

WE2-860

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 .../example/config/ApplicationConfiguration.java       |  2 +-
 .../java/eu/webeid/example/service/SigningService.java |  8 ++++++--
 .../java/eu/webeid/example/web/WelcomeController.java  |  4 ++--
 .../eu/webeid/example/web/rest/SigningController.java  | 10 +++++++++-
 4 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java b/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java
index cdbe016..343933f 100644
--- a/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java
+++ b/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java
@@ -42,7 +42,7 @@
 
 @Configuration
 @EnableWebSecurity
-@EnableMethodSecurity(securedEnabled = true, jsr250Enabled = true)
+@EnableMethodSecurity(securedEnabled = true)
 public class ApplicationConfiguration implements WebMvcConfigurer {
     final AuthTokenDTOAuthenticationProvider authTokenDTOAuthenticationProvider;
     final SecurityContextRepository securityContextRepository;
diff --git a/example/src/main/java/eu/webeid/example/service/SigningService.java b/example/src/main/java/eu/webeid/example/service/SigningService.java
index b89835f..e96af33 100644
--- a/example/src/main/java/eu/webeid/example/service/SigningService.java
+++ b/example/src/main/java/eu/webeid/example/service/SigningService.java
@@ -29,6 +29,8 @@
 import eu.webeid.example.service.dto.FileDTO;
 import eu.webeid.example.service.dto.SignatureDTO;
 import eu.webeid.security.certificate.CertificateData;
+import jakarta.servlet.http.HttpSession;
+import jakarta.xml.bind.DatatypeConverter;
 import org.apache.commons.io.FilenameUtils;
 import org.digidoc4j.Configuration;
 import org.digidoc4j.Container;
@@ -44,10 +46,9 @@
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.ObjectFactory;
 import org.springframework.core.io.ByteArrayResource;
+import org.springframework.security.access.annotation.Secured;
 import org.springframework.stereotype.Service;
 
-import jakarta.servlet.http.HttpSession;
-import jakarta.xml.bind.DatatypeConverter;
 import java.io.IOException;
 import java.io.InputStream;
 import java.security.NoSuchAlgorithmException;
@@ -55,7 +56,10 @@
 import java.security.cert.X509Certificate;
 import java.util.Objects;
 
+import static eu.webeid.example.security.AuthTokenDTOAuthenticationProvider.ROLE_USER;
+
 @Service
+@Secured(ROLE_USER)
 public class SigningService {
 
     private static final String SESSION_ATTR_FILE = "file-to-sign";
diff --git a/example/src/main/java/eu/webeid/example/web/WelcomeController.java b/example/src/main/java/eu/webeid/example/web/WelcomeController.java
index 2ebb763..0db6fc7 100644
--- a/example/src/main/java/eu/webeid/example/web/WelcomeController.java
+++ b/example/src/main/java/eu/webeid/example/web/WelcomeController.java
@@ -24,7 +24,7 @@
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.security.access.annotation.Secured;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -35,10 +35,10 @@
 import static eu.webeid.example.security.AuthTokenDTOAuthenticationProvider.ROLE_USER;
 
 @Controller
+@Secured(ROLE_USER)
 public class WelcomeController {
     private static final Logger LOG = LoggerFactory.getLogger(WelcomeController.class);
 
-    @PreAuthorize("hasAuthority('" + ROLE_USER + "')")
     @GetMapping("welcome")
     public String welcome(Model model, Principal principal) {
         Objects.requireNonNull(principal);
diff --git a/example/src/main/java/eu/webeid/example/web/rest/SigningController.java b/example/src/main/java/eu/webeid/example/web/rest/SigningController.java
index 14ecfae..4f935be 100644
--- a/example/src/main/java/eu/webeid/example/web/rest/SigningController.java
+++ b/example/src/main/java/eu/webeid/example/web/rest/SigningController.java
@@ -32,14 +32,22 @@
 import org.springframework.core.io.Resource;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.ResponseEntity;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.security.access.annotation.Secured;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
 
 import java.io.IOException;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
 
+import static eu.webeid.example.security.AuthTokenDTOAuthenticationProvider.ROLE_USER;
+
 @RestController
 @RequestMapping("sign")
+@Secured(ROLE_USER)
 public class SigningController {
 
     private final SigningService signingService;

From 33faef160f8fe53f44e3ca5357a3a73d93556860 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Fri, 5 Apr 2024 21:19:24 +0300
Subject: [PATCH 099/116] Override equals() and hashCode() in
 WebEidAuthentication

WE2-860

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 .../webeid/example/security/WebEidAuthentication.java | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java b/example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java
index 4a67020..59ab2a7 100644
--- a/example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java
+++ b/example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java
@@ -61,4 +61,15 @@ private static String getPrincipalNameFromCertificate(X509Certificate userCertif
         }
     }
 
+    @Override
+    public boolean equals(Object o) {
+        if (!super.equals(o)) return false;
+        WebEidAuthentication that = (WebEidAuthentication) o;
+        return Objects.equals(idCode, that.idCode);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(super.hashCode(), idCode);
+    }
 }

From 8b4bf6d91819b9da3614fb74abd53cb7f492adeb Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Fri, 5 Apr 2024 22:02:53 +0300
Subject: [PATCH 100/116] Use method injection to provide
 AuthTokenDTOAuthenticationProvider and AuthenticationConfiguration to
 filterChain(), move HttpSessionSecurityContextRepository creation into
 WebEidAjaxLoginProcessingFilter constructor, update README

WE2-860

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 example/README.md                             |  4 ++--
 .../config/ApplicationConfiguration.java      | 21 ++-----------------
 .../WebEidAjaxLoginProcessingFilter.java      |  6 +++---
 .../WebEidAjaxLoginProcessingFilterTest.java  |  8 +++----
 4 files changed, 10 insertions(+), 29 deletions(-)

diff --git a/example/README.md b/example/README.md
index 008357d..5ab2297 100644
--- a/example/README.md
+++ b/example/README.md
@@ -17,7 +17,7 @@ Web eID only works over a HTTPS connection with a trusted HTTPS certificate.
 You can either setup a reverse HTTPS proxy during development or, alternatively, configure
 HTTPS support directly in the bundled web server. HTTPS configuration is described in more detail in section _[HTTPS support](#https-support)_ below.
 
-You can use, for example, [_ngrok_](https://ngrok.com/) to get a reverse HTTPS proxy. Download _ngrok_ and run it in a terminal window by providing the protocol and Spring Boot application port arguments as follows:
+You can use, for example, [_ngrok_](https://ngrok.com/) or [_localtunnel_](https://theboroer.github.io/localtunnel-www/) to get a reverse HTTPS proxy. Download _ngrok_ and run it in a terminal window by providing the protocol and Spring Boot application port arguments as follows:
 
     ngrok http 8080
 
@@ -35,7 +35,7 @@ web-eid-auth-token:
 
 ### 3. Configure the trusted certificate authority certificates
 
-The algorithm, which performs the validation of the Web eID authentication token, needs to know which intermediate certificate authorities (CA) are trusted to issue the eID authentication certificates. CA certificates are loaded either from `.cer` files in the profile-specific subdirectory of the [`certs`resource directory](src/main/resources/certs) or the [truststore file](src/main/resources/certs/prod/trusted_certificates.jks). By default, Estonian eID test CA certificates are included in the `dev` profile and production CA certificates in the `prod` profile.
+The algorithm, which performs the validation of the Web eID authentication token, needs to know which intermediate certificate authorities (CA) are trusted to issue the eID authentication certificates. CA certificates are loaded either from `.cer` files in the profile-specific subdirectory of the [`certs` resource directory](src/main/resources/certs) or the [truststore file](src/main/resources/certs/prod/trusted_certificates.jks). By default, Estonian eID test CA certificates are included in the `dev` profile and production CA certificates in the `prod` profile.
 
 In case you need to provide your own CA certificates, either add the `.cer` files to the `src/main/resources/certs/{dev,prod}` profile-specific directory or add the certificates to the truststore file.
 
diff --git a/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java b/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java
index 343933f..d93c942 100644
--- a/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java
+++ b/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java
@@ -26,7 +26,6 @@
 import eu.webeid.example.security.WebEidAjaxLoginProcessingFilter;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -35,8 +34,6 @@
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.logout.HttpStatusReturningLogoutSuccessHandler;
-import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
-import org.springframework.security.web.context.SecurityContextRepository;
 import org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
@@ -44,26 +41,12 @@
 @EnableWebSecurity
 @EnableMethodSecurity(securedEnabled = true)
 public class ApplicationConfiguration implements WebMvcConfigurer {
-    final AuthTokenDTOAuthenticationProvider authTokenDTOAuthenticationProvider;
-    final SecurityContextRepository securityContextRepository;
-
-    public ApplicationConfiguration(AuthTokenDTOAuthenticationProvider authTokenDTOAuthenticationProvider) {
-        this.authTokenDTOAuthenticationProvider = authTokenDTOAuthenticationProvider;
-        this.securityContextRepository = new HttpSessionSecurityContextRepository();
-    }
-
-    @Bean
-    public AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) throws Exception {
-        return authenticationConfiguration.getAuthenticationManager();
-    }
 
     @Bean
-    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-        AuthenticationManager manager = authenticationManager(http.getSharedObject(AuthenticationConfiguration.class));
-
+    public SecurityFilterChain filterChain(HttpSecurity http, AuthTokenDTOAuthenticationProvider authTokenDTOAuthenticationProvider, AuthenticationConfiguration authConfig) throws Exception {
         return http
                 .authenticationProvider(authTokenDTOAuthenticationProvider)
-                .addFilterBefore(new WebEidAjaxLoginProcessingFilter("/auth/login", manager, securityContextRepository),
+                .addFilterBefore(new WebEidAjaxLoginProcessingFilter("/auth/login", authConfig.getAuthenticationManager()),
                         UsernamePasswordAuthenticationFilter.class)
                 .logout(logout -> logout.logoutSuccessHandler(new HttpStatusReturningLogoutSuccessHandler()))
                 .headers(headers -> headers.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin))
diff --git a/example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java b/example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java
index 2b4f0cf..cc47f86 100644
--- a/example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java
+++ b/example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java
@@ -42,6 +42,7 @@
 import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
 import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
+import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
 import org.springframework.security.web.context.SecurityContextRepository;
 
 import java.io.IOException;
@@ -53,15 +54,14 @@ public class WebEidAjaxLoginProcessingFilter extends AbstractAuthenticationProce
 
     public WebEidAjaxLoginProcessingFilter(
             String defaultFilterProcessesUrl,
-            AuthenticationManager authenticationManager,
-            SecurityContextRepository securityContextRepository
+            AuthenticationManager authenticationManager
     ) {
         super(defaultFilterProcessesUrl);
         this.setAuthenticationManager(authenticationManager);
         this.setAuthenticationSuccessHandler(new AjaxAuthenticationSuccessHandler());
         this.setAuthenticationFailureHandler(new AjaxAuthenticationFailureHandler());
         setSessionAuthenticationStrategy(new SessionFixationProtectionStrategy());
-        this.securityContextRepository = securityContextRepository;
+        this.securityContextRepository = new HttpSessionSecurityContextRepository();
     }
 
     @Override
diff --git a/example/src/test/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilterTest.java b/example/src/test/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilterTest.java
index adbaff5..cb95073 100644
--- a/example/src/test/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilterTest.java
+++ b/example/src/test/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilterTest.java
@@ -1,18 +1,17 @@
 package eu.webeid.example.security;
 
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 import org.junit.jupiter.api.Test;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.authentication.AuthenticationManager;
 
-import jakarta.servlet.http.HttpServletRequest;
-import jakarta.servlet.http.HttpServletResponse;
 import java.io.BufferedReader;
 import java.io.StringReader;
 
 import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
-import org.springframework.security.web.context.SecurityContextRepository;
 
 class WebEidAjaxLoginProcessingFilterTest {
 
@@ -32,10 +31,9 @@ void testAttemptAuthentication() throws Exception {
         when(request.getReader()).thenReturn(new BufferedReader(new StringReader(AUTH_TOKEN)));
 
         final AuthenticationManager authenticationManager = mock(AuthenticationManager.class);
-        final SecurityContextRepository securityContextRepository = mock(SecurityContextRepository.class);
 
         assertDoesNotThrow(() ->
-                new WebEidAjaxLoginProcessingFilter("/auth/login", authenticationManager, securityContextRepository)
+                new WebEidAjaxLoginProcessingFilter("/auth/login", authenticationManager)
                         .attemptAuthentication(request, response));
     }
 }
\ No newline at end of file

From 3db96fdc985e57eb0774f9da39c8dc44324ecb75 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Tue, 30 Apr 2024 16:41:16 +0300
Subject: [PATCH 101/116] Use Java 17 base image in Jib

WE2-860

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 example/pom.xml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/example/pom.xml b/example/pom.xml
index e35b076..9739035 100644
--- a/example/pom.xml
+++ b/example/pom.xml
@@ -22,6 +22,7 @@
 		<webeid.version>3.0.1</webeid.version>
 		<digidoc4j.version>5.3.0</digidoc4j.version>
 		<jmockit.version>1.44</jmockit.version>
+		<jib.version>3.4.2</jib.version>
 	</properties>
 
 	<dependencies>
@@ -84,6 +85,16 @@
 					<disableXmlReport>true</disableXmlReport>
 				</configuration>
 			</plugin>
+			<plugin>
+				<groupId>com.google.cloud.tools</groupId>
+				<artifactId>jib-maven-plugin</artifactId>
+				<version>${jib.version}</version>
+				<configuration>
+					<from>
+						<image>eclipse-temurin:${java.version}-jre-jammy</image>
+					</from>
+				</configuration>
+			</plugin>
 		</plugins>
 	</build>
 

From 1b55e1b4fa0a3d7b3a1848b1dd083bce76e4f771 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Tue, 7 May 2024 14:46:43 +0300
Subject: [PATCH 102/116] Use Optional in CertificateData

WE2-931

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 example/pom.xml                               |  2 +-
 .../security/WebEidAuthentication.java        | 19 ++++++++++++-------
 .../example/service/SigningService.java       | 16 +++++++++-------
 3 files changed, 22 insertions(+), 15 deletions(-)

diff --git a/example/pom.xml b/example/pom.xml
index 9739035..ff4bc68 100644
--- a/example/pom.xml
+++ b/example/pom.xml
@@ -19,7 +19,7 @@
 	<properties>
 		<java.version>17</java.version>
 		<maven-surefire-plugin.version>3.2.5</maven-surefire-plugin.version>
-		<webeid.version>3.0.1</webeid.version>
+		<webeid.version>3.0.2-SNAPSHOT</webeid.version>
 		<digidoc4j.version>5.3.0</digidoc4j.version>
 		<jmockit.version>1.44</jmockit.version>
 		<jib.version>3.4.2</jib.version>
diff --git a/example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java b/example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java
index 59ab2a7..c039007 100644
--- a/example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java
+++ b/example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java
@@ -22,15 +22,16 @@
 
 package eu.webeid.example.security;
 
+import eu.webeid.security.certificate.CertificateData;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
-import eu.webeid.security.certificate.CertificateData;
 
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
 import java.util.List;
 import java.util.Objects;
+import java.util.Optional;
 
 public class WebEidAuthentication extends PreAuthenticatedAuthenticationToken implements Authentication {
 
@@ -38,7 +39,8 @@ public class WebEidAuthentication extends PreAuthenticatedAuthenticationToken im
 
     public static Authentication fromCertificate(X509Certificate userCertificate, List<GrantedAuthority> authorities) throws CertificateEncodingException {
         final String principalName = getPrincipalNameFromCertificate(userCertificate);
-        final String idCode = Objects.requireNonNull(CertificateData.getSubjectIdCode(userCertificate));
+        final String idCode = CertificateData.getSubjectIdCode(userCertificate)
+                .orElseThrow(() -> new CertificateEncodingException("Certificate does not contain subject ID code"));
         return new WebEidAuthentication(principalName, idCode, authorities);
     }
 
@@ -52,12 +54,15 @@ private WebEidAuthentication(String principalName, String idCode, List<GrantedAu
     }
 
     private static String getPrincipalNameFromCertificate(X509Certificate userCertificate) throws CertificateEncodingException {
-        try {
-            return Objects.requireNonNull(CertificateData.getSubjectGivenName(userCertificate)) + ' ' +
-                    Objects.requireNonNull(CertificateData.getSubjectSurname(userCertificate));
-        } catch (CertificateEncodingException e) {
+        final Optional<String> givenName = CertificateData.getSubjectGivenName(userCertificate);
+        final Optional<String> surname = CertificateData.getSubjectSurname(userCertificate);
+
+        if (givenName.isPresent() && surname.isPresent()) {
+            return givenName.get() + ' ' + surname.get();
+        } else {
             // Organization certificates do not have given name and surname fields.
-            return Objects.requireNonNull(CertificateData.getSubjectCN(userCertificate));
+            return CertificateData.getSubjectCN(userCertificate)
+                    .orElseThrow(() -> new CertificateEncodingException("Certificate does not contain subject CN"));
         }
     }
 
diff --git a/example/src/main/java/eu/webeid/example/service/SigningService.java b/example/src/main/java/eu/webeid/example/service/SigningService.java
index e96af33..507b4b3 100644
--- a/example/src/main/java/eu/webeid/example/service/SigningService.java
+++ b/example/src/main/java/eu/webeid/example/service/SigningService.java
@@ -90,15 +90,17 @@ private HttpSession currentSession() {
      * @return data to be signed
      */
     public DigestDTO prepareContainer(CertificateDTO certificateDTO, WebEidAuthentication authentication) throws CertificateException, NoSuchAlgorithmException, IOException {
-        X509Certificate certificate = certificateDTO.toX509Certificate();
-        if (!authentication.getIdCode().equals(CertificateData.getSubjectIdCode(certificate))) {
+        final X509Certificate certificate = certificateDTO.toX509Certificate();
+        final String signingIdCode = CertificateData.getSubjectIdCode(certificate)
+                .orElseThrow(() -> new RuntimeException("Certificate does not contain subject ID code"));
+        if (!signingIdCode.equals(authentication.getIdCode())) {
             throw new IllegalArgumentException("Authenticated subject ID code differs from " +
                     "signing certificate subject ID code");
         }
 
-        FileDTO fileDTO = FileDTO.getExampleForSigningFromResources();
-        Container containerToSign = getContainerToSign(fileDTO);
-        String containerName = generateContainerName(fileDTO.getName());
+        final FileDTO fileDTO = FileDTO.getExampleForSigningFromResources();
+        final Container containerToSign = getContainerToSign(fileDTO);
+        final String containerName = generateContainerName(fileDTO.getName());
 
         currentSession().setAttribute(SESSION_ATTR_CONTAINER, containerToSign);
         currentSession().setAttribute(SESSION_ATTR_FILE, fileDTO);
@@ -113,7 +115,7 @@ public DigestDTO prepareContainer(CertificateDTO certificateDTO, WebEidAuthentic
                     "' is not supported. Supported algorithms are: " + String.join(", ", certificateDTO.getSupportedHashFunctionNames()));
         }
 
-        DataToSign dataToSign = SignatureBuilder
+        final DataToSign dataToSign = SignatureBuilder
                 .aSignature(containerToSign)
                 .withSignatureProfile(SignatureProfile.LT) // AIA OCSP is supported for signatures with LT or LTA profile.
                 .withSigningCertificate(certificate)
@@ -127,7 +129,7 @@ public DigestDTO prepareContainer(CertificateDTO certificateDTO, WebEidAuthentic
         final byte[] digest = signatureDigestAlgorithm.getDssDigestAlgorithm().getMessageDigest()
                 .digest(dataToSign.getDataToSign());
 
-        DigestDTO digestDTO = new DigestDTO();
+        final DigestDTO digestDTO = new DigestDTO();
         digestDTO.setHash(DatatypeConverter.printBase64Binary(digest));
         digestDTO.setHashFunction(digestAlgorithmName);
 

From e6200b8f02f9c1eb316082cb20f89a7b971e9dd3 Mon Sep 17 00:00:00 2001
From: Raul Metsma <raul@metsma.ee>
Date: Wed, 1 May 2024 15:29:44 +0300
Subject: [PATCH 103/116] Add new TEST ORG certificate issuers

WE2-924

Signed-off-by: Raul Metsma <raul@metsma.ee>
---
 .../resources/certs/dev/TEST_ORG_2021E.cer    | 22 +++++++++++
 .../resources/certs/dev/TEST_ORG_2021R.cer    | 39 +++++++++++++++++++
 2 files changed, 61 insertions(+)
 create mode 100644 example/src/main/resources/certs/dev/TEST_ORG_2021E.cer
 create mode 100644 example/src/main/resources/certs/dev/TEST_ORG_2021R.cer

diff --git a/example/src/main/resources/certs/dev/TEST_ORG_2021E.cer b/example/src/main/resources/certs/dev/TEST_ORG_2021E.cer
new file mode 100644
index 0000000..bf399a9
--- /dev/null
+++ b/example/src/main/resources/certs/dev/TEST_ORG_2021E.cer
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDoDCCAwOgAwIBAgIQcyqWqJYuHMpg+S/gNJArMTAKBggqhkjOPQQDAzBuMQsw
+CQYDVQQGEwJFRTEbMBkGA1UECgwSU0sgSUQgU29sdXRpb25zIEFTMRcwFQYDVQRh
+DA5OVFJFRS0xMDc0NzAxMzEpMCcGA1UEAwwgVEVTVCBvZiBTSyBJRCBTb2x1dGlv
+bnMgUk9PVCBHMUUwHhcNMjEwNzIyMDg0NDE2WhcNMzYwNzIyMDg0NDE2WjBvMQsw
+CQYDVQQGEwJFRTEbMBkGA1UECgwSU0sgSUQgU29sdXRpb25zIEFTMRcwFQYDVQRh
+DA5OVFJFRS0xMDc0NzAxMzEqMCgGA1UEAwwhVEVTVCBvZiBTSyBJRCBTb2x1dGlv
+bnMgT1JHIDIwMjFFMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEPN17jh+wlx7U0fND
+5Vd+xix//r/XXBrK2JPgzXPT3ApkHQwBuMMcRAT3xTZ0UtiRbfo6mClvtZdyEcyf
+qw8xUd7rZ/jJHkHE+Ea/5x8sZtgBRRBdga932N40gkRuTfdEo4IBYzCCAV8wHwYD
+VR0jBBgwFoAU4hzeY9y++IR+ATsuS4Cx4X/V8eYwHQYDVR0OBBYEFEmnHNBblRgz
+FcEe8pie53tLDoZpMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEA
+MGwGCCsGAQUFBwEBBGAwXjAiBggrBgEFBQcwAYYWaHR0cDovL2RlbW8uc2suZWUv
+b2NzcDA4BggrBgEFBQcwAoYsaHR0cDovL2Muc2suZWUvVEVTVF9TS19ST09UX0cx
+XzIwMjFFLmRlci5jcnQwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2Muc2suZWUv
+VEVTVF9TS19ST09UX0cxXzIwMjFFLmNybDBQBgNVHSAESTBHMEUGBFUdIAAwPTA7
+BggrBgEFBQcCARYvaHR0cHM6Ly93d3cuc2tpZHNvbHV0aW9ucy5ldS9lbi9yZXBv
+c2l0b3J5L0NQUy8wCgYIKoZIzj0EAwMDgYoAMIGGAkFeLgoCd2OgKM/9YM2eizwD
+Mdb8DIE2aX9a5czWUXypSa+fA5HXry4oAFqY3ed7TWrgaX+RgD4ejuHDJUN3fVmb
+zwJBHI1S8XxeM2+c0YUJQMU1SY2VVcVax6110r1aBDr90RAF2a9H8sKRVYtz21lC
+bM/wb9Lg61nkctY91DVjvWMj138=
+-----END CERTIFICATE-----
diff --git a/example/src/main/resources/certs/dev/TEST_ORG_2021R.cer b/example/src/main/resources/certs/dev/TEST_ORG_2021R.cer
new file mode 100644
index 0000000..6eb8091
--- /dev/null
+++ b/example/src/main/resources/certs/dev/TEST_ORG_2021R.cer
@@ -0,0 +1,39 @@
+-----BEGIN CERTIFICATE-----
+MIIGzDCCBLSgAwIBAgIQPadGvT+ZiMRhHPzivWSWBDANBgkqhkiG9w0BAQwFADBu
+MQswCQYDVQQGEwJFRTEbMBkGA1UECgwSU0sgSUQgU29sdXRpb25zIEFTMRcwFQYD
+VQRhDA5OVFJFRS0xMDc0NzAxMzEpMCcGA1UEAwwgVEVTVCBvZiBTSyBJRCBTb2x1
+dGlvbnMgUk9PVCBHMVIwHhcNMjEwODE4MTIyODE4WhcNMzYwODE4MTIyODE4WjBv
+MQswCQYDVQQGEwJFRTEbMBkGA1UECgwSU0sgSUQgU29sdXRpb25zIEFTMRcwFQYD
+VQRhDA5OVFJFRS0xMDc0NzAxMzEqMCgGA1UEAwwhVEVTVCBvZiBTSyBJRCBTb2x1
+dGlvbnMgT1JHIDIwMjFSMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
+vRcXPfY+T3pZl0ou0HQ76GEcOSqa8LmktDjFlWRlessGR+A70AiNw1k6s98Ic6wv
+u+KUnRSdXCu+QANnkJVr75+W4heWAgJL0aOwDsBRIqn/aFiaW49+7Vw8zdlH6LnU
+8YFDTvjy7tgX1ZyqFI9s31MJ84p9YH+DOwEYB8VMdkwa9wVBIu3oDh9hCTVUZtZF
+G/yOI0/Tu9eKRbLSK6Je/op2IvEXqZwZVnWpR/yAAfyYOsY6/t9iieCknvQtWXnu
+pxMm9HybUoOqHQ6QKz0nTY4As0sDuNom0aVmHeNR7W+ebJtiU8H/zqr+yR46qauD
+QSrVqBlKfR7ZGLGPxvW38qfQpoQ2okaR+bUrrAcscJidwT3+0n1+2t4jSX6OTXu2
+HsPjk7dmcrGhTtQh2BcjbhHit+nOS3BuB1QOJ8tXsdj1nsaHPae6ZeH/KbMetBeh
+BCwpXcNP3aR+AfVJWzgLObZSrqeCzGsfSfBQvracTjZzJp9NGXTZBe9MzcYomr2d
+I7mqt/wa5N6i7eDa75cv+FncGrRKJkQ1JRRPynGcQK/dOVrmjjdeJGf6vgqWP/WI
+KTuXYdovCnvXhO+PuOifRiP0scnWN+YXR7R3EXT50rk79lNrOOzcqmft3B2EVsVI
+BPJTwjnSiNXZRHSoedOPJEInLQ7sP9uDWbqMd04/yYUCAwEAAaOCAWMwggFfMB8G
+A1UdIwQYMBaAFMaIk1tHkln1YUO+2L6I5FaPti5RMB0GA1UdDgQWBBSJNpEi++WV
+9vJUbwBlF9+7AA6VxTAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIB
+ADBsBggrBgEFBQcBAQRgMF4wIgYIKwYBBQUHMAGGFmh0dHA6Ly9kZW1vLnNrLmVl
+L29jc3AwOAYIKwYBBQUHMAKGLGh0dHA6Ly9jLnNrLmVlL1RFU1RfU0tfUk9PVF9H
+MV8yMDIxUi5kZXIuY3J0MDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jLnNrLmVl
+L1RFU1RfU0tfUk9PVF9HMV8yMDIxUi5jcmwwUAYDVR0gBEkwRzBFBgRVHSAAMD0w
+OwYIKwYBBQUHAgEWL2h0dHBzOi8vd3d3LnNraWRzb2x1dGlvbnMuZXUvZW4vcmVw
+b3NpdG9yeS9DUFMvMA0GCSqGSIb3DQEBDAUAA4ICAQCInhE2mlWOwF5ZgXEgBP4G
+rVAp7SLyqOoeeIB1PkTX9zZTN7zm+G1T9jYBYAbskIKsIQYz8Rg/HaXkg1MDl1lf
+7M9CYbWTZanOPzSfAUS1u49pnyKr74DIRCo2bdD4e2ofS5y/uMu3qE1wClzO6TJo
+oJtX1PGTptqKclZywxAVeoCisT1f48PW6dq0b5i6LTtDTDSSKGUgvdm18af0TSMn
+kozsxIWzY06TmDfJvlPB12h8vIlzBZXHoVH89wBtffV1uVpc8btyZqqYnqPivXSM
+clQMuTmJSZjZoOQ695JqN92kSy8aDc9Bxqb+XsBmmjr26nvvW54y68TUZSz1D29n
+eBPy0DB60ZAFRgtyfanlPZL8KymBan45u88rE5S3GOl0kbkYOmsIoCv4BHILxlQl
+ddFY+BGkDwM8bEQ480AERTXcp+4rXUj80kXIsa5NR5z2+LaDvy2j3tVcY7iRkdIU
+nVWYwxEEgU0dbzxl+LlSx/ad9dGzbhvhsEiq93jz2qJdpsC6EiBlBGCRyfwEgv8a
+CqDTAJNqnY3+UzTzYds1HlMfxSyzoi01zyfN4DtWl2RTCslBZ0/XLnn4HaTSU5Bq
+wESseW9CPJRaO+W3ERsSRAW9tjDuEuBxWAN91OWlkk6GpLJkr3/4UcO85pVgNJf3
+Q4sZkdHlzV6yY/Cq1S+b9Q==
+-----END CERTIFICATE-----

From 0313507369f1c587eaabd8653cb6c2478c346c3f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mart=20S=C3=B5mermaa?= <mrts.pydev@gmail.com>
Date: Fri, 31 May 2024 14:42:55 +0300
Subject: [PATCH 104/116] Update Web eID group ID to eu.webeid.security, amend
 REAME (#51)

WE2-899

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
Co-authored-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 example/README.md | 4 +++-
 example/pom.xml   | 8 ++++----
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/example/README.md b/example/README.md
index 5ab2297..a9d34d2 100644
--- a/example/README.md
+++ b/example/README.md
@@ -17,7 +17,7 @@ Web eID only works over a HTTPS connection with a trusted HTTPS certificate.
 You can either setup a reverse HTTPS proxy during development or, alternatively, configure
 HTTPS support directly in the bundled web server. HTTPS configuration is described in more detail in section _[HTTPS support](#https-support)_ below.
 
-You can use, for example, [_ngrok_](https://ngrok.com/) or [_localtunnel_](https://theboroer.github.io/localtunnel-www/) to get a reverse HTTPS proxy. Download _ngrok_ and run it in a terminal window by providing the protocol and Spring Boot application port arguments as follows:
+You can use solutions like [_ngrok_](https://ngrok.com/), [_localtunnel_](https://theboroer.github.io/localtunnel-www/), or any other reverse HTTPS proxy tool. For example, with _ngrok_, download and run it in a terminal window by providing the protocol and the Spring Boot application port arguments as follows:
 
     ngrok http 8080
 
@@ -33,6 +33,8 @@ web-eid-auth-token:
         local-origin: "https://<<NGROK HOSTNAME HERE>>"
 ```
 
+**Note that the origin URL must not end with a slash `/`**.
+
 ### 3. Configure the trusted certificate authority certificates
 
 The algorithm, which performs the validation of the Web eID authentication token, needs to know which intermediate certificate authorities (CA) are trusted to issue the eID authentication certificates. CA certificates are loaded either from `.cer` files in the profile-specific subdirectory of the [`certs` resource directory](src/main/resources/certs) or the [truststore file](src/main/resources/certs/prod/trusted_certificates.jks). By default, Estonian eID test CA certificates are included in the `dev` profile and production CA certificates in the `prod` profile.
diff --git a/example/pom.xml b/example/pom.xml
index ff4bc68..8cc9135 100644
--- a/example/pom.xml
+++ b/example/pom.xml
@@ -5,12 +5,12 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>3.2.4</version>
+		<version>3.3.0</version>
 		<relativePath/> <!-- lookup parent from repository -->
 	</parent>
 	<groupId>eu.webeid.example</groupId>
 	<artifactId>web-eid-springboot-example</artifactId>
-	<version>3.0.0-SNAPSHOT</version>
+	<version>3.1.0</version>
 	<name>web-eid-springboot-example</name>
 	<description>Example Spring Boot application that demonstrates how to use Web eID for authentication and digital
 		signing
@@ -19,7 +19,7 @@
 	<properties>
 		<java.version>17</java.version>
 		<maven-surefire-plugin.version>3.2.5</maven-surefire-plugin.version>
-		<webeid.version>3.0.2-SNAPSHOT</webeid.version>
+		<webeid.version>3.1.0</webeid.version>
 		<digidoc4j.version>5.3.0</digidoc4j.version>
 		<jmockit.version>1.44</jmockit.version>
 		<jib.version>3.4.2</jib.version>
@@ -45,7 +45,7 @@
 			<version>${digidoc4j.version}</version>
 		</dependency>
 		<dependency>
-			<groupId>org.webeid.security</groupId>
+			<groupId>eu.webeid.security</groupId>
 			<artifactId>authtoken-validation</artifactId>
 			<version>${webeid.version}</version>
 		</dependency>

From aa651e887de057c9555582dd1b7253dfe7704688 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mart=20S=C3=B5mermaa?= <mrts.pydev@gmail.com>
Date: Mon, 3 Jun 2024 08:25:28 +0300
Subject: [PATCH 105/116] Add Belgian test CA certs, bump Docker image to 3.1.0
 and update paths in README.md (#52)

WE2-886, WE2-808

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
Co-authored-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 example/README.md                             |  6 +++---
 example/docker-compose.yml                    |  2 +-
 .../certs/dev/eID-TEST-EC-Citizen-CA.cer      | 19 +++++++++++++++++++
 .../certs/dev/eID-TEST-EC-Root-CA.cer         | 14 ++++++++++++++
 4 files changed, 37 insertions(+), 4 deletions(-)
 create mode 100644 example/src/main/resources/certs/dev/eID-TEST-EC-Citizen-CA.cer
 create mode 100644 example/src/main/resources/certs/dev/eID-TEST-EC-Root-CA.cer

diff --git a/example/README.md b/example/README.md
index a9d34d2..f0e6651 100644
--- a/example/README.md
+++ b/example/README.md
@@ -110,7 +110,7 @@ There is also a Docker Compose configuration file `docker-compose.yml` in the ro
 
 The source code folder `src` contains the application source code and resources in the `main` subdirectory and tests in the `test` subdirectory.
 
-The `src/main/java/org/webeid/example` directory contains the Spring Boot application Java class and the following subdirectories:
+The `src/main/java/eu/webeid/example` directory contains the Spring Boot application Java class and the following subdirectories:
 
 -   `config`: Spring and HTTP security configuration, Web eID authentication token validation library configuration, trusted CA certificates loading etc,
 -   `security`: Web eID authentication token validation library integration with Spring Security via an `AuthenticationProvider` and `AuthenticationProcessingFilter`,
@@ -144,13 +144,13 @@ Spring Security has CSRF protection enabled by default. Web eID requires CSRF pr
 
 ### Integration with Web eID components
 
-Detailed overview of Java code changes required for integrating Web eID authentication token validation is available in the [_web-eid-authtoken-validation-java_ library README](https://github.com/web-eid/web-eid-authtoken-validation-java/blob/main/README.md). There are instructions for configuring the nonce generator, trusted certificate authority certificates, authentication token validator, Spring Security authentication integration and REST endpoints. The corresponding Java code is in the `src/main/java/org/webeid/example/{config,security,web/rest}` directories.
+Detailed overview of Java code changes required for integrating Web eID authentication token validation is available in the [_web-eid-authtoken-validation-java_ library README](https://github.com/web-eid/web-eid-authtoken-validation-java/blob/main/README.md). There are instructions for configuring the nonce generator, trusted certificate authority certificates, authentication token validator, Spring Security authentication integration and REST endpoints. The corresponding Java code is in the `src/main/java/eu/webeid/example/{config,security,web/rest}` directories.
 
 A similar overview of JavaScript and HTML code changes required for authentication and digital signing with Web eID is available in the [web-eid.js library README](https://github.com/web-eid/web-eid.js/blob/main/README.md). The corresponding JavaScript and HTML code is in the `src/resources/{static,templates}` directories.
 
 ### Integration with DigiDoc4j components
 
-Java code examples that show how to create and sign data containers that hold signed file objects and digital signatures is available in the [DigiDoc4j wiki](https://github.com/open-eid/digidoc4j/wiki/Examples-of-using-it). Further information and links to the API documentation is available in the project [README](https://github.com/open-eid/digidoc4j/blob/master/README.md). The corresponding Java code is in the `src/main/java/org/webeid/example/{service,web/rest}` directories.
+Java code examples that show how to create and sign data containers that hold signed file objects and digital signatures is available in the [DigiDoc4j wiki](https://github.com/open-eid/digidoc4j/wiki/Examples-of-using-it). Further information and links to the API documentation is available in the project [README](https://github.com/open-eid/digidoc4j/blob/master/README.md). The corresponding Java code is in the `src/main/java/eu/webeid/example/{service,web/rest}` directories.
 
 #### Using the Certificates' _Authority Information Access_ (AIA) extension in DigiDoc4j
 
diff --git a/example/docker-compose.yml b/example/docker-compose.yml
index bae7f83..239d19a 100644
--- a/example/docker-compose.yml
+++ b/example/docker-compose.yml
@@ -1,7 +1,7 @@
 version: '2'
 services:
   web-eid-springboot-example:
-    image: web-eid-springboot-example:3.0.0-SNAPSHOT
+    image: web-eid-springboot-example:3.1.0
     restart: always
     environment:
       JAVA_TOOL_OPTIONS: '-Dspring.profiles.active=prod'
diff --git a/example/src/main/resources/certs/dev/eID-TEST-EC-Citizen-CA.cer b/example/src/main/resources/certs/dev/eID-TEST-EC-Citizen-CA.cer
new file mode 100644
index 0000000..06456b7
--- /dev/null
+++ b/example/src/main/resources/certs/dev/eID-TEST-EC-Citizen-CA.cer
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDKTCCAq+gAwIBAgIIcND8I1qptLUwCgYIKoZIzj0EAwMwKzELMAkGA1UEBhMC
+QkUxHDAaBgNVBAMME2VJRCBURVNUIEVDIFJvb3QgQ0EwIBcNMDcwNDMwMjIwMDIw
+WhgPMjA4NzA0MTAyMjAwMjBaMC4xCzAJBgNVBAYTAkJFMR8wHQYDVQQDDBZlSUQg
+VEVTVCBFQyBDaXRpemVuIENBMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEJAiNoOQf
+Y0r8N6JVPMLedXyRZ7MwppGwQ9ZxFzLjVsbeKuUvqEFR0yKKyEidXc875m4UF5lR
+pf/FSWagg2IXGWrypnRZkgnNVP6s5W2LzKdV09hd6v7O8j/8knfHOj+No4IBmTCC
+AZUwHQYDVR0OBBYEFN2zf+OaGY5ZyRFWAi31+p1v3oRLMB8GA1UdIwQYMBaAFCHA
+clfKHAQEGR3ZjH4+tYPrrBwCMA4GA1UdDwEB/wQEAwIBBjBIBgNVHSAEQTA/MD0G
+BmA4DAEBAjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vZWlkZGV2Y2FyZHMuemV0ZXNj
+YXJkcy5iZS9jZXJ0MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDBCBgNV
+HR8EOzA5MDegNaAzhjFodHRwOi8vZWlkZGV2Y2FyZHMuemV0ZXNjYXJkcy5iZS9j
+cmwvcm9vdGNhRUMuY3JsMIGBBggrBgEFBQcBAQR1MHMwPgYIKwYBBQUHMAKGMmh0
+dHA6Ly9laWRkZXZjYXJkcy56ZXRlc2NhcmRzLmJlL2NlcnQvcm9vdGNhRUMuY3J0
+MDEGCCsGAQUFBzABhiVodHRwOi8vZWlkZGV2Y2FyZHMuemV0ZXNjYXJkcy5iZTo4
+ODg4MBIGA1UdEwEB/wQIMAYBAf8CAQAwCgYIKoZIzj0EAwMDaAAwZQIxAOMiiByF
+0aLEA6zUrobMw7aSH5o2u1hGVMe0AL4ezYztRdfxvXVU+m1JosBVBDDjeAIwYJJN
+7bLWw8BVi/lkxRjKL/+zAJP6djGywXI1pVh4HKb0D+tipq5StO+QnM8cnPmg
+-----END CERTIFICATE-----
diff --git a/example/src/main/resources/certs/dev/eID-TEST-EC-Root-CA.cer b/example/src/main/resources/certs/dev/eID-TEST-EC-Root-CA.cer
new file mode 100644
index 0000000..3908e4c
--- /dev/null
+++ b/example/src/main/resources/certs/dev/eID-TEST-EC-Root-CA.cer
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICNDCCAbugAwIBAgIBATAKBggqhkjOPQQDAzArMQswCQYDVQQGEwJCRTEcMBoG
+A1UEAwwTZUlEIFRFU1QgRUMgUm9vdCBDQTAgFw0wNzA0MzAyMjAwMTBaGA8yMDg4
+MDQwOTIyMDAxMFowKzELMAkGA1UEBhMCQkUxHDAaBgNVBAMME2VJRCBURVNUIEVD
+IFJvb3QgQ0EwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAASYqtYIKayPGXFNDaGkPdCa
+dQCSC8D2W8aKE7xh850ykG0bJXMV7IaKZWo0ZXUb55g9S95gjDNeZ0iNo75dY/mW
+oozI6I2l106OdPL+yAcHI6id4uR7Fd0nQxeBICdmjnCjgbAwga0wHQYDVR0OBBYE
+FCHAclfKHAQEGR3ZjH4+tYPrrBwCMB8GA1UdIwQYMBaAFCHAclfKHAQEGR3ZjH4+
+tYPrrBwCMA4GA1UdDwEB/wQEAwIBBjBHBgNVHSAEQDA+MDwGBWA4DAEBMDMwMQYI
+KwYBBQUHAgEWJWh0dHA6Ly9laWRkZXZjYXJkcy56ZXRlc2NhcmRzLmJlL2NlcnQw
+EgYDVR0TAQH/BAgwBgEB/wIBATAKBggqhkjOPQQDAwNnADBkAjBM2P48H8f2FY0N
+Hm1uAdgXwYoBRkUFOq8Kccd7l6Y8RavzAkMQmLgVF3s5euuv6fcCMCW4UGWpnOTO
+A+t4V9/+kPMjGqgC9Uw4nOKkwkwQs3IeWfc7Na6l+U8r4M7VH49/cw==
+-----END CERTIFICATE-----

From 750beb6d3b867d478689f7af05f1e1134f62f8ef Mon Sep 17 00:00:00 2001
From: Kristel Merilain <kristel.merilain@ria.ee>
Date: Fri, 14 Jun 2024 07:13:49 +0300
Subject: [PATCH 106/116] Add noble support

IB-7869

Signed-off-by: Kristel Merilain <kristel.merilain@ria.ee>
---
 .../resources/static/scripts/download-install-web-eid.sh   | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/example/src/main/resources/static/scripts/download-install-web-eid.sh b/example/src/main/resources/static/scripts/download-install-web-eid.sh
index c9b3fe9..7842c55 100755
--- a/example/src/main/resources/static/scripts/download-install-web-eid.sh
+++ b/example/src/main/resources/static/scripts/download-install-web-eid.sh
@@ -62,8 +62,9 @@ test_sudo
 # 20.04     focal   LTS   2025-04
 # 22.04     jammy   LTS   2027-04
 # 23.10     mantic   -     2024-07
-LATEST_SUPPORTED_UBUNTU_CODENAME='mantic'
-LATEST_SUPPORTED_UBUNTU_VERSION='23.10'
+# 24.04     noble   -     2029-04
+LATEST_SUPPORTED_UBUNTU_CODENAME='noble'
+LATEST_SUPPORTED_UBUNTU_VERSION='24.04'
 
 # Check the distro and release.
 distro=$(lsb_release -is | tr '[:upper:]' '[:lower:]')
@@ -98,7 +99,7 @@ case $distro in
         utopic|vivid|wily|trusty|artful|cosmic|disco|xenial|eoan|groovy|hirsute|impish|bionic|kinetic|lunar)
           make_fail "Ubuntu $codename is not officially supported"
           ;;
-        focal|jammy|mantic)
+        focal|jammy|mantic|noble)
           make_install $release
           ;;
         *)

From 5083fe4b049b4a2822ca8463d3cb9b43daf907d3 Mon Sep 17 00:00:00 2001
From: Kristel Merilain <kristel.merilain@ria.ee>
Date: Thu, 1 Aug 2024 13:03:18 +0300
Subject: [PATCH 107/116] Remove mantic support (#54)

Signed-off-by: Kristel Merilain <kristel.merilain@ria.ee>
---
 .../resources/static/scripts/download-install-web-eid.sh     | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/example/src/main/resources/static/scripts/download-install-web-eid.sh b/example/src/main/resources/static/scripts/download-install-web-eid.sh
index 7842c55..56b60f8 100755
--- a/example/src/main/resources/static/scripts/download-install-web-eid.sh
+++ b/example/src/main/resources/static/scripts/download-install-web-eid.sh
@@ -61,7 +61,6 @@ test_sudo
 # version   name    LTS   supported until
 # 20.04     focal   LTS   2025-04
 # 22.04     jammy   LTS   2027-04
-# 23.10     mantic   -     2024-07
 # 24.04     noble   -     2029-04
 LATEST_SUPPORTED_UBUNTU_CODENAME='noble'
 LATEST_SUPPORTED_UBUNTU_VERSION='24.04'
@@ -96,10 +95,10 @@ case $distro in
          *) ;;
       esac
       case $codename in
-        utopic|vivid|wily|trusty|artful|cosmic|disco|xenial|eoan|groovy|hirsute|impish|bionic|kinetic|lunar)
+        utopic|vivid|wily|trusty|artful|cosmic|disco|xenial|eoan|groovy|hirsute|impish|bionic|kinetic|lunar|mantic)
           make_fail "Ubuntu $codename is not officially supported"
           ;;
-        focal|jammy|mantic|noble)
+        focal|jammy|noble)
           make_install $release
           ;;
         *)

From 1d06df3a2994637b86090bafc7e2d7233119a544 Mon Sep 17 00:00:00 2001
From: Kristel Merilain <kristel.merilain@ria.ee>
Date: Thu, 3 Oct 2024 08:50:16 +0300
Subject: [PATCH 108/116] Update and rename download-install-web-eid.sh to
 install-web-eid.sh (#55)

Signed-off-by: Kristel Merilain <kristel.merilain@ria.ee>
---
 .../scripts/download-install-web-eid.sh       | 156 ------------
 .../static/scripts/install-web-eid.sh         | 231 ++++++++++++++++++
 2 files changed, 231 insertions(+), 156 deletions(-)
 delete mode 100755 example/src/main/resources/static/scripts/download-install-web-eid.sh
 create mode 100755 example/src/main/resources/static/scripts/install-web-eid.sh

diff --git a/example/src/main/resources/static/scripts/download-install-web-eid.sh b/example/src/main/resources/static/scripts/download-install-web-eid.sh
deleted file mode 100755
index 56b60f8..0000000
--- a/example/src/main/resources/static/scripts/download-install-web-eid.sh
+++ /dev/null
@@ -1,156 +0,0 @@
-#!/bin/bash
-#
-# This script downloads and installs Web eID in .deb based Linux distributions.
-# License: public domain.
-# Based on https://github.com/open-eid/linux-installer/blob/master/install-open-eid.sh
-
-set -eu
-
-test_sudo() {
-  if ! command -v sudo>/dev/null; then
-     make_fail "You must have sudo and be in sudo group\nAs root do: apt-get install sudo && adduser $USER sudo"
-  fi
-}
-
-test_root() {
-  if test $(id -u) -eq 0; then
-    echo "You run this script as root. DO NOT RUN RANDOM SCRIPTS AS ROOT."
-    exit 2
-  fi
-}
-
-make_fail() {
-  echo -e "$1"
-  exit 3
-}
-
-make_warn() {
-  echo "### $1"
-  echo "Press ENTER to continue, CTRL-C to cancel"
-  read -r dummy
-}
-
-make_install() {
-  echo "Installing Web eID packages for Ubuntu $1"
-  TMPDIR=`mktemp -d`
-  cd $TMPDIR
-  VERSION='2.5.0'
-  # BUILD=`[[ $1 == *0 ]] && echo 555 || echo 552`
-  BUILD='642'
-  UBUNTU_VERSION=${1//./}
-  wget "https://installer.id.ee/media/web-eid/Ubuntu/web-eid_${VERSION}.${BUILD}-${UBUNTU_VERSION}_all.deb"
-  wget "https://installer.id.ee/media/web-eid/Ubuntu/web-eid-chrome_${VERSION}.${BUILD}-${UBUNTU_VERSION}_all.deb"
-  wget "https://installer.id.ee/media/web-eid/Ubuntu/web-eid-firefox_${VERSION}.${BUILD}-${UBUNTU_VERSION}_all.deb"
-  wget "https://installer.id.ee/media/web-eid/Ubuntu/web-eid-native_${VERSION}.${BUILD}-${UBUNTU_VERSION}_amd64.deb"
-  sudo apt install -y ./web-eid*.deb
-  cd /tmp
-  rm -r $TMPDIR
-}
-
-### main
-
-# Check for Debian derivative.
-if ! command -v lsb_release>/dev/null; then
-  make_fail "# Not a Debian Linux derivative, cannot continue."
-fi
-
-# We use sudo.
-test_root
-test_sudo
-
-# version   name    LTS   supported until
-# 20.04     focal   LTS   2025-04
-# 22.04     jammy   LTS   2027-04
-# 24.04     noble   -     2029-04
-LATEST_SUPPORTED_UBUNTU_CODENAME='noble'
-LATEST_SUPPORTED_UBUNTU_VERSION='24.04'
-
-# Check the distro and release.
-distro=$(lsb_release -is | tr '[:upper:]' '[:lower:]')
-release=$(lsb_release -rs)
-codename=$(lsb_release -cs)
-
-case $distro in
-   debian)
-      make_warn "Debian is not officially supported"
-      case "$codename" in
-        bullseye)
-          make_warn "Debian $codename is not officially supported"
-          make_warn "Installing from ubuntu-focal repository"
-          make_install '20.04'
-          ;;
-        bookworm)
-          make_warn "Debian $codename is not officially supported"
-          make_warn "Installing from ubuntu-jammy repository"
-          make_install '22.04'
-          ;;
-        *)
-          make_fail "Debian $codename is not officially supported"
-          ;;
-      esac
-      ;;
-   ubuntu|neon)
-      case $distro in
-         neon) make_warn "Neon is not officially supported; assuming that it is equivalent to Ubuntu" ;;
-         *) ;;
-      esac
-      case $codename in
-        utopic|vivid|wily|trusty|artful|cosmic|disco|xenial|eoan|groovy|hirsute|impish|bionic|kinetic|lunar|mantic)
-          make_fail "Ubuntu $codename is not officially supported"
-          ;;
-        focal|jammy|noble)
-          make_install $release
-          ;;
-        *)
-          make_warn "Ubuntu $codename is not officially supported"
-          make_warn "Trying to install package for Ubuntu ${LATEST_SUPPORTED_UBUNTU_CODENAME}"
-          make_install ${LATEST_SUPPORTED_UBUNTU_VERSION}
-          ;;
-      esac
-      ;;
-   linuxmint)
-      case $release in
-        21*)
-          make_warn "Linux Mint 21 is not officially supported"
-          make_install '22.04'
-          ;;
-        20*)
-          make_warn "Linux Mint 20 is not officially supported"
-          make_install '20.04'
-          ;;
-        *)
-          make_fail "Linux Mint $release is not officially supported"
-          ;;
-      esac
-      ;;
-   elementary*os|elementary)
-      case $release in
-        7*)
-          make_warn "Elementary OS 7 is not officially supported"
-          make_install '22.04'
-          ;;
-        *)
-          make_fail "Elementary OS $release is not officially supported"
-          ;;
-      esac
-      ;;
-   pop)
-      case $codename in
-        artful|cosmic|disco|eoan|bionic)
-          make_fail "Pop!_OS $codename is not officially supported"
-          ;;
-        focal|jammy)
-          make_warn "Pop!_OS $codename is not officially supported"
-          make_install $release
-          ;;
-        *)
-          make_warn "Pop!_OS $codename is not officially supported"
-          make_warn "Trying to install package for Pop!_OS ${LATEST_SUPPORTED_UBUNTU_CODENAME}"
-          make_install ${LATEST_SUPPORTED_UBUNTU_VERSION}
-          ;;
-      esac
-      ;;
-   *)
-      make_fail "$distro is not supported :("
-      ;;
-esac
diff --git a/example/src/main/resources/static/scripts/install-web-eid.sh b/example/src/main/resources/static/scripts/install-web-eid.sh
new file mode 100755
index 0000000..83d9a39
--- /dev/null
+++ b/example/src/main/resources/static/scripts/install-web-eid.sh
@@ -0,0 +1,231 @@
+#!/bin/sh
+# This script configures .deb based Linux repositories
+# License: public domain
+# Script https://github.com/open-eid/linux-installer
+# See wiki https://github.com/open-eid/linux-installer/wiki/Linux-Packages
+set -e
+
+# Key used for signing releases
+RIA_KEY="""-----BEGIN PGP PUBLIC KEY BLOCK-----
+Comment: GPGTools - https://gpgtools.org
+
+mQINBFcrMk4BEADCimHCTTCsBbUL+MtrRGNKEo/ccdjv0hArPqn1yt/7w9BFH17f
+kY+w6IFdfD0o1Uc7MOofsF3ROVIsw/mul6k1YUh2HxtKmsVOMLE0eWHShvMlXKDV
+1H1dCAk3A2c7nmzTedJaMMu+cLCRpt9zpmF1kG4i07UuyBxpRmolq/+hYa2JHPw4
+CFDW0s1T/rF1KUTbGHQKhT9Qek2tTsHQn4C33QUnCMkb3HCbDQksW69FoLiwa3am
+fAgGSOI8iZ3uofh3LU9kEy6dL6ZFKUevOETlDidHaNNDhC8g0seMkMLTuSmWc64X
+DTobStcuZcHtakzeWZ/V2kXouhUsgXOMxhPGHFkfd+qqk3LGqZ29wTK2bYyTjCsD
+gYPO2YHGmCzLzH9DgHNfjDWzeAWClg5PO/oB5sg5fYMwmHJtLeqGJarFKl22p9/K
+odRruGQiGqkHptxwdoNjgvgluiSb6C+dCU5pGU8t+9/+IfqxChltUkI02O6jfPO4
+mweflYBQ8zkXOLPlVIfJnO5xw4wwrh3rV/fXxlNMI+Ni7/zPF61OQ50r/oya6zRR
+rSLEAig2lZY+vhbv9WDgJKIPwb8oe13d1UCRDdtkj70MBQFh1m6RFzDXy4821U9w
+TRtRy+92UN5jRRkeMb0yaO/EboTRjOy7BToJSVeYGRQy73M2vhxhWXSXrwARAQAB
+tClSSUEgU29mdHdhcmUgU2lnbmluZyBLZXkgPHNpZ25pbmdAcmlhLmVlPokCNwQT
+AQoAIQUCVysyTgIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRDpqyFNxsg9
+aJJ9D/sGXNgFsEvbGEYlKtrhY9ungOBk7B5iH/Nxy+yMjIZY9mLdp9RMEO6oZFam
+3vC+3o01veRUkf0KRDjtDAK2c358aHsNAVcFXfJk950OuqUzywZvuNwlCOMCYZ41
+KBUfcwebhqiqMDzOLnx2mwUvV0OQGKgpqQes1+LE0pI2ySsgUyTp50mvLt8e9yXq
+1uO82WzmAYcR8VGOViavjtV8ZF4X09d1ugZAWeOsZHdjl7Yb/aUy4WW35wQsHmo8
+Tro6KuG9KgvrNM798gdhwA6kt29B2YGGTQGODwIt8jydN2o0P3UhpVW+C+60Axqw
+jSnPOJFPNVsRJ5se9PvhJS0xmUVOttRJFU74FmsK4dArG4pqMjBzXReEk9Pz03FW
+9EbD8PY+n/hrp2zp7kEa5umzLJePi3117r06OkiQoI0Wfmi3bISBe0oN2lS7QUBo
+DUursJNSMKpEhQBc3lPsyKoZwb73fl86iOm5/GpdMkKBXOQzGbgJV96I+s6ZemQ4
+psbxQCWStcwLnenkKEU2eezP9codmtRivRftx9+/xt9DxIfbtvZMPsrG6+EI+Ovo
+onO6lMgnQJmxhjJ5FUwyBn27b41LDUnQhdMHtSwr7HCyU/ufnte1dQQy+xxYH4fG
+oafemhM54Tx0fi47HruFu+DjSLECP57TVAVFJTyn6wr4U2Lya7kCDQRXKzJOARAA
+q1I36MBmlWenlq9ZqwAvA0kT1l4uyrkj7EIpPXNmkkMYtW3jHWe/4M4k6b0NmNnj
+FoaPmK86b037AoODd40xQYWV3Y5arwSfcZPYx35/+uiim4vykNI7u9MMujHDvMvV
+AE2RXK/s1Lj+7B37H9AkcpAdj+YngYEKrVjzUbiPJXisbEc/g94F56YqbnGB1g6Y
+pMXSGC1SvaYCBnUyWzLlmHYlib36R3dWXmpuQuTTn65QQU1jIKm5na7c37AP6k7G
+RBthPmDveXV+UFlWBl3ybqhVcf7svGcSLf/n7ekF9PlUEDoQ+4rA+mQARS138R3I
+WbZAB7KOTBrLPpPvKXvbq5r1/wfArBbKxOiB7c4xlejqeRbXFig4acQHK7vDfrIG
+yA6hyR1H73kp3uFl0SEa/RKsPcYUagkFn3tlUBrX+6/ZuOcowaN9FuShJlMrgk1K
+DiPprE7+gwA1fnGo6X/Jto6M6xkeGf0Lj2YZ6B0u2x8BIwSJUDqISd2TJoireMBb
+0GQRUyfBDGB9ZDvMvC0SIezw3aEPW68uLadJa98QUGyYWQunIfiKfGzKHhpc4ser
+V28WIJ/QJf2oJ3Cp3Ot2DI4qgJbSPkQYcizK/dNXJ6KoUv95i5SEQ82tw0vsytmI
+3jZseGWLOnz9+LS41O55JjylDUAgJchroNF7bJZ2DocAEQEAAYkCHwQYAQoACQUC
+VysyTgIbDAAKCRDpqyFNxsg9aKrtD/wM9pDDvLeeA6fg5mmAb6dmfhr2hAecbI/n
+sGD5qslu0oE11Zj9gwYD5ixhieLbudEWk+YaGsg1/s1vMIEZsAXQYY0kihOBYGtr
+heFA7YPzJSac1uwlF+unb7wvW8zYbyjkDpBmuyA08fHOFisHp1A4v4zsaLKZbCy7
+qQJWk8JU7eJnGecAuKnF8Zqpxur2k17QlsaoA3DIUDiSJyQVsFgTAgSkzjdQYVH2
+LVsb3XZeJnOoV1fs0E6kCCDUXtVx2yVzRgLKNnZvbufTKRAjr+mggUH+JOBbrDf/
+zf9Ud8PHBaLJh9+OA3AO310FwiJX0SnZjcCg29C7N0SkuDWowDLjwT8XAikdAsRC
+xPZcOJSQjnSrd/X6ZjvDEBNlnY0dBOnuWt3CmwEdIreEJGomGMBE2/mw5ieFhlpN
+6pp4Oe8kLl3mpd11RxfY2wW2r1BkxihtV/4pts7kCgSyRb8DwSZVYDHai5OtfeMZ
+OTbaIP5/7aWoxd3R4JoKX5zHqY6slzi+MERJmDcIR5v1Np8HGJIHR/10uG3WvQ43
+CBVNV1KxDSWiO99+50ajU2humchuZKucVQUirUGd5ZPijAuZzrQeE9yboEMSB5nj
+WxoE6tFHd17wOg+ImAMerVY53I4h0EkmbzPfeszZYR0geGvu4sngt69wJmmTINUC
+K2czbpReKw==
+=aSyh
+-----END PGP PUBLIC KEY BLOCK-----
+"""
+
+add_key() {
+  # keystring=`echo "$RIA_KEY" | gpg` # XXX: can't be automated, gpg always creates files on disk
+  keystring="0xC6C83D68 'RIA Software Signing Key <signing@ria.ee>'"
+  echo "Adding key to trusted key set"
+  echo "$keystring"
+  echo "$RIA_KEY" | gpg --dearmor | sudo tee /usr/share/keyrings/ria-repository.gpg > /dev/null
+}
+
+test_sudo() {
+  if ! command -v sudo>/dev/null; then
+     make_fail "You must have sudo and be in sudo group\nAs root do: apt install sudo && adduser $USER sudo"
+  fi
+}
+
+test_root() {
+  if test $(id -u) -eq 0; then
+    echo "You run this script as root. DO NOT RUN RANDOM SCRIPTS AS ROOT."
+    exit 2
+  fi
+}
+
+# add the given repository into /etc/apt/sources.list.d
+add_repository() {
+  umask 0022
+  echo "Adding RIA repository to APT sources list (/etc/apt/sources.list.d/ria-repository.list)"
+  echo "deb [signed-by=/usr/share/keyrings/ria-repository.gpg] https://installer.id.ee/media/ubuntu/ $1 main" | sudo tee /etc/apt/sources.list.d/ria-repository.list
+}
+
+make_install() {
+  echo "Installing software (apt update && apt install web-eid)"
+  sudo apt update
+  sudo apt install "$@"
+}
+
+make_fail() {
+  echo "$1"
+  exit 3
+}
+
+make_warn() {
+  echo "### $1"
+  echo "Press ENTER to continue, CTRL-C to cancel"
+  read -r dummy
+}
+
+### Install Estonian ID card software
+
+# check for Debian derivative.
+if ! command -v lsb_release>/dev/null; then
+  make_fail "# Not a Debian Linux :("
+fi
+
+# we use sudo
+test_root
+test_sudo
+
+# version   name    LTS   supported until
+# 20.04     focal   LTS   2025-04
+# 22.04     jammy   LTS   2027-04
+# 24.04     noble    -    2029-04
+LATEST_SUPPORTED_UBUNTU_CODENAME='noble'
+
+# check if Debian or Ubuntu
+distro=$(lsb_release -is | tr '[:upper:]' '[:lower:]')
+release=$(lsb_release -rs)
+codename=$(lsb_release -cs)
+
+case $distro in
+   debian)
+      make_warn "Debian is not officially supported"
+      echo "### Installing possibly missing https support for APT (apt install apt-transport-https)"
+      # Debian lacks https support for apt, by default
+      sudo apt install apt-transport-https
+      case "$codename" in
+         bullseye)
+          make_warn "Debian $codename is not officially supported"
+          make_warn "Installing from ubuntu-focal repository"
+          add_repository focal
+          ;;
+         bookworm)
+	 	      make_warn "Debian $codename is not officially supported"
+	 	      make_warn "Installing from ubuntu-jammy repository"
+	 	      add_repository jammy
+	 	      ;;
+        *)
+          make_fail "Debian $codename is not officially supported"
+          ;;
+      esac
+      ;;
+   ubuntu|neon|zorin)
+      case $distro in
+         neon) make_warn "Neon is not officially supported; assuming that it is equivalent to Ubuntu" ;;
+         *) ;;
+      esac
+      case $codename in
+        utopic|vivid|wily|trusty|artful|cosmic|disco|xenial|eoan|groovy|hirsute|impish|bionic|zorin|kinetic|lunar|mantic)
+          make_fail "Ubuntu $codename is not officially supported"
+          ;;
+        focal|jammy|noble)
+          add_repository $codename
+          ;;
+        *)
+          make_warn "Ubuntu $codename is not officially supported"
+          make_warn "Trying to install package for Ubuntu ${LATEST_SUPPORTED_UBUNTU_CODENAME}"
+          add_repository ${LATEST_SUPPORTED_UBUNTU_CODENAME}
+          ;;
+      esac
+      ;;
+   linuxmint)
+      case $release in
+	    22*)
+          make_warn "Linux Mint 22 is not officially supported"
+          add_repository noble
+          ;;
+        21*)
+          make_warn "Linux Mint 21 is not officially supported"
+          add_repository jammy
+          ;;
+        20*)
+          make_warn "Linux Mint 20 is not officially supported"
+          add_repository focal
+          ;;
+        *)
+          make_fail "Linux Mint $release is not officially supported"
+          ;;
+      esac
+      ;;
+   elementary*os|elementary)
+      case $release in
+        7*)
+          make_warn "Elementary OS 7 is not officially supported"
+          add_repository jammy
+          ;;
+        *)
+          make_fail "Elementary OS $release is not officially supported"
+          ;;
+      esac
+      ;;
+   pop)
+      case $codename in
+        artful|cosmic|disco|eoan|bionic)
+          make_fail "Pop!_OS $codename is not officially supported"
+          ;;
+        focal|jammy)
+          make_warn "Pop!_OS $codename is not officially supported"
+          add_repository $codename
+          ;;
+        *)
+          make_warn "Pop!_OS $codename is not officially supported"
+          make_warn "Trying to install package for Pop!_OS ${LATEST_SUPPORTED_UBUNTU_CODENAME}"
+          add_repository ${LATEST_SUPPORTED_UBUNTU_CODENAME}
+          ;;
+      esac
+      ;;
+   *)
+      make_fail "$distro is not supported :("
+      ;;
+esac
+
+add_key
+make_install web-eid
+
+echo 
+echo "Thank you for using Estonian ID card!"
+read -p "Would you like to read instructions on how to configure browsers for using ID-card? (Y/n): " instructions
+case $instructions in
+    [Yy]*|"" ) xdg-open "https://www.id.ee/en/article/ubuntu-id-software-installation-updating-and-removal/#removing-mozilla-firefox";;
+    * ) ;;
+esac

From fe496e27dfee7a0bf2b2d2c6751bb2b31068fb1c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mart=20S=C3=B5mermaa?= <mrts.pydev@gmail.com>
Date: Tue, 22 Oct 2024 15:54:28 +0300
Subject: [PATCH 109/116] Add v2.6.0 release (#56)

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
Co-authored-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 example/pom.xml                                 | 4 ++--
 example/src/main/resources/templates/index.html | 8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/example/pom.xml b/example/pom.xml
index 8cc9135..10264a7 100644
--- a/example/pom.xml
+++ b/example/pom.xml
@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>3.3.0</version>
+		<version>3.3.4</version>
 		<relativePath/> <!-- lookup parent from repository -->
 	</parent>
 	<groupId>eu.webeid.example</groupId>
@@ -20,7 +20,7 @@
 		<java.version>17</java.version>
 		<maven-surefire-plugin.version>3.2.5</maven-surefire-plugin.version>
 		<webeid.version>3.1.0</webeid.version>
-		<digidoc4j.version>5.3.0</digidoc4j.version>
+		<digidoc4j.version>5.3.1</digidoc4j.version>
 		<jmockit.version>1.44</jmockit.version>
 		<jib.version>3.4.2</jib.version>
 	</properties>
diff --git a/example/src/main/resources/templates/index.html b/example/src/main/resources/templates/index.html
index 5836d2e..b13f2cb 100644
--- a/example/src/main/resources/templates/index.html
+++ b/example/src/main/resources/templates/index.html
@@ -55,14 +55,14 @@ <h3><a id="usage"></a>Usage</h3>
                     Download and run the Web eID native app and browser extension installer:
                     <ul>
                         <li>on <b>Ubuntu Linux</b>, for Firefox and Chrome, download and execute the<br>
-                            <a href="/scripts/download-install-web-eid.sh"><code>download-install-web-eid.sh</code></a>
+                            <a href="/scripts/install-web-eid.sh"><code>install-web-eid.sh</code></a>
                             script from the console with<br>
-                            <code>wget -O - https://<span th:text="${serverName}"/>/scripts/download-install-web-eid.sh
+                            <code>wget -O - https://<span th:text="${serverName}"/>/scripts/install-web-eid.sh
                                 | bash</code><br>
                             Note: as of the 2.5 version, Web eID supports Firefox installed via Snap.
                         </li>
                         <li>on <b>macOS</b> 12 or later, for Firefox and Chrome from <a
-                                href="https://installer.id.ee/media/web-eid/web-eid_2.5.0.642.dmg">here</a>,
+                                href="https://installer.id.ee/media/web-eid/web-eid_2.6.0.654.dmg">here</a>,
                         </li>
                         <li>on <b>macOS</b> 12 or later, for Safari, install the extension from <a
                                 href="https://apps.apple.com/ee/app/web-eid/id1576665083?mt=12">App Store</a>,
@@ -70,7 +70,7 @@ <h3><a id="usage"></a>Usage</h3>
                         <li>on <b>Windows</b> 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server
                             2022,
                             for Firefox, Chrome and Edge from <a
-                                    href="https://installer.id.ee/media/web-eid/web-eid_2.5.0.646.x64.exe">here</a>.
+                                    href="https://installer.id.ee/media/web-eid/web-eid_2.6.0.900.x64.exe">here</a>.
                         </li>
                     </ul>
                 </li>

From 2d695af34765affc6c8aef80578124fa5a72f465 Mon Sep 17 00:00:00 2001
From: Kristel Merilain <kristel.merilain@ria.ee>
Date: Tue, 19 Nov 2024 20:21:06 +0200
Subject: [PATCH 110/116] Add oracular support (#57)

* Add oracular support

Signed-off-by: Kristel Merilain <kristel.merilain@ria.ee>

* Noble is LTS

---------

Signed-off-by: Kristel Merilain <kristel.merilain@ria.ee>
Co-authored-by: Raul Metsma <raul@metsma.ee>
---
 .../src/main/resources/static/scripts/install-web-eid.sh   | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/example/src/main/resources/static/scripts/install-web-eid.sh b/example/src/main/resources/static/scripts/install-web-eid.sh
index 83d9a39..c8c5ea7 100755
--- a/example/src/main/resources/static/scripts/install-web-eid.sh
+++ b/example/src/main/resources/static/scripts/install-web-eid.sh
@@ -119,8 +119,9 @@ test_sudo
 # version   name    LTS   supported until
 # 20.04     focal   LTS   2025-04
 # 22.04     jammy   LTS   2027-04
-# 24.04     noble    -    2029-04
-LATEST_SUPPORTED_UBUNTU_CODENAME='noble'
+# 24.04     noble   LTS   2029-04
+# 24.10     oracular -    2025-07
+LATEST_SUPPORTED_UBUNTU_CODENAME='oracular'
 
 # check if Debian or Ubuntu
 distro=$(lsb_release -is | tr '[:upper:]' '[:lower:]')
@@ -158,7 +159,7 @@ case $distro in
         utopic|vivid|wily|trusty|artful|cosmic|disco|xenial|eoan|groovy|hirsute|impish|bionic|zorin|kinetic|lunar|mantic)
           make_fail "Ubuntu $codename is not officially supported"
           ;;
-        focal|jammy|noble)
+        focal|jammy|noble|oracular)
           add_repository $codename
           ;;
         *)

From 88072f340734bd3071f30b5193ffc335c76ffd90 Mon Sep 17 00:00:00 2001
From: Kristel Merilain <kristel.merilain@ria.ee>
Date: Mon, 27 Jan 2025 10:23:45 +0200
Subject: [PATCH 111/116] Remove focal support

---
 .../static/scripts/install-web-eid.sh          | 18 ++++--------------
 1 file changed, 4 insertions(+), 14 deletions(-)

diff --git a/example/src/main/resources/static/scripts/install-web-eid.sh b/example/src/main/resources/static/scripts/install-web-eid.sh
index c8c5ea7..8a2828c 100755
--- a/example/src/main/resources/static/scripts/install-web-eid.sh
+++ b/example/src/main/resources/static/scripts/install-web-eid.sh
@@ -117,7 +117,6 @@ test_root
 test_sudo
 
 # version   name    LTS   supported until
-# 20.04     focal   LTS   2025-04
 # 22.04     jammy   LTS   2027-04
 # 24.04     noble   LTS   2029-04
 # 24.10     oracular -    2025-07
@@ -135,11 +134,6 @@ case $distro in
       # Debian lacks https support for apt, by default
       sudo apt install apt-transport-https
       case "$codename" in
-         bullseye)
-          make_warn "Debian $codename is not officially supported"
-          make_warn "Installing from ubuntu-focal repository"
-          add_repository focal
-          ;;
          bookworm)
 	 	      make_warn "Debian $codename is not officially supported"
 	 	      make_warn "Installing from ubuntu-jammy repository"
@@ -156,10 +150,10 @@ case $distro in
          *) ;;
       esac
       case $codename in
-        utopic|vivid|wily|trusty|artful|cosmic|disco|xenial|eoan|groovy|hirsute|impish|bionic|zorin|kinetic|lunar|mantic)
+        utopic|vivid|wily|trusty|artful|cosmic|disco|xenial|eoan|groovy|hirsute|impish|bionic|zorin|kinetic|lunar|mantic|focal)
           make_fail "Ubuntu $codename is not officially supported"
           ;;
-        focal|jammy|noble|oracular)
+        jammy|noble|oracular)
           add_repository $codename
           ;;
         *)
@@ -179,10 +173,6 @@ case $distro in
           make_warn "Linux Mint 21 is not officially supported"
           add_repository jammy
           ;;
-        20*)
-          make_warn "Linux Mint 20 is not officially supported"
-          add_repository focal
-          ;;
         *)
           make_fail "Linux Mint $release is not officially supported"
           ;;
@@ -201,10 +191,10 @@ case $distro in
       ;;
    pop)
       case $codename in
-        artful|cosmic|disco|eoan|bionic)
+        artful|cosmic|disco|eoan|bionic|focal)
           make_fail "Pop!_OS $codename is not officially supported"
           ;;
-        focal|jammy)
+        jammy)
           make_warn "Pop!_OS $codename is not officially supported"
           add_repository $codename
           ;;

From e7dccc8ed1d8263796a354f4ac545e80ccd13486 Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Thu, 20 Mar 2025 21:52:40 +0200
Subject: [PATCH 112/116] Add Thales test ID card intermediate CA to trusted
 certificates in dev profile

WE2-1063

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 .../resources/certs/dev/TestESTEID2025.cer    | 20 +++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 example/src/main/resources/certs/dev/TestESTEID2025.cer

diff --git a/example/src/main/resources/certs/dev/TestESTEID2025.cer b/example/src/main/resources/certs/dev/TestESTEID2025.cer
new file mode 100644
index 0000000..ca8933f
--- /dev/null
+++ b/example/src/main/resources/certs/dev/TestESTEID2025.cer
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDMTCCAregAwIBAgIUNtXxgsJYFy9r5Opm2j2LcsnZYtkwCgYIKoZIzj0EAwMw
+XTEZMBcGA1UEAwwQVGVzdCBFRUdvdkNBMjAyNTEXMBUGA1UEYQwOTlRSRUUtMTcw
+NjYwNDkxGjAYBgNVBAoMEVpldGVzIEVzdG9uaWEgT8OcMQswCQYDVQQGEwJFRTAe
+Fw0yNDExMDQxMjU5NTVaFw0zOTExMDMxMjU5NTRaMFwxGDAWBgNVBAMMD1Rlc3Qg
+RVNURUlEMjAyNTEXMBUGA1UEYQwOTlRSRUUtMTcwNjYwNDkxGjAYBgNVBAoMEVpl
+dGVzIEVzdG9uaWEgT8OcMQswCQYDVQQGEwJFRTB2MBAGByqGSM49AgEGBSuBBAAi
+A2IABC8Uc5s70j1iWMZNbQyVYpDmwp4Ad5HlQmFB9noY2yBeDKL2KHKQG31SDTbo
+KlBz7JUWsmaxF1Vj6ZkKAwcltO2cBnEU1B5H8hWgk5Un61GZxhX2wPkwJLm7vjyi
+dKmftqOCATcwggEzMBIGA1UdEwEB/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU4Vbf
+rsSXORfv3goMbOVys4vVchAwSQYIKwYBBQUHAQEEPTA7MDkGCCsGAQUFBzAChi1o
+dHRwOi8vY3J0LXRlc3QuZWlkcGtpLmVlL3Rlc3RFRUdvdkNBMjAyNS5jcnQwQgYD
+VR0gBDswOTA3BgRVHSAAMC8wLQYIKwYBBQUHAgEWIWh0dHBzOi8vcmVwb3NpdG9y
+eS10ZXN0LmVpZHBraS5lZTA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vY3JsLXRl
+c3QuZWlkcGtpLmVlL3Rlc3RFRUdvdkNBMjAyNS5jcmwwHQYDVR0OBBYEFO7ylT+M
+svxRnoTm5l6EEX5CuiA2MA4GA1UdDwEB/wQEAwIBBjAKBggqhkjOPQQDAwNoADBl
+AjEA3qECw4GIfbeoC5cFhtiPJRfFlzsjRGVBtQTH6DNbZsm+EF6Gc28/iZFX1H6n
+UTRlAjAiwooqEyVbxA1KqT6PwVl1BXNbF59j6MaiNR43dYeJxrdOnxleR50EVdIC
+DJFEm2E=
+-----END CERTIFICATE-----
\ No newline at end of file

From 07e0ca1ea52d841163b002c9ea088d7f84f7351e Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Fri, 21 Mar 2025 15:29:31 +0200
Subject: [PATCH 113/116] Update copyright year to 2025

WE2-1072

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 .../WebEidSpringbootExampleApplication.java   |  2 +-
 .../config/ApplicationConfiguration.java      |  2 +-
 .../config/SameSiteCookieConfiguration.java   |  2 +-
 .../SessionBackedChallengeNonceStore.java     |  2 +-
 .../config/ValidationConfiguration.java       |  2 +-
 .../eu/webeid/example/config/YAMLConfig.java  |  2 +-
 .../AuthTokenDTOAuthenticationProvider.java   |  2 +-
 .../WebEidAjaxLoginProcessingFilter.java      |  2 +-
 .../security/WebEidAuthentication.java        |  2 +-
 .../AjaxAuthenticationFailureHandler.java     |  2 +-
 .../AjaxAuthenticationSuccessHandler.java     |  2 +-
 .../example/security/dto/AuthTokenDTO.java    |  2 +-
 .../example/service/SigningService.java       |  2 +-
 .../example/service/dto/CertificateDTO.java   |  2 +-
 .../example/service/dto/ChallengeDTO.java     |  2 +-
 .../webeid/example/service/dto/DigestDTO.java |  2 +-
 .../webeid/example/service/dto/FileDTO.java   |  2 +-
 .../service/dto/SignatureAlgorithmDTO.java    |  2 +-
 .../example/service/dto/SignatureDTO.java     |  2 +-
 .../webeid/example/web/IndexController.java   |  2 +-
 .../webeid/example/web/WelcomeController.java |  2 +-
 .../example/web/rest/ChallengeController.java |  2 +-
 .../example/web/rest/SigningController.java   |  2 +-
 .../src/main/resources/static/js/errors.js    |  2 +-
 .../AuthenticationRestControllerTest.java     |  2 +-
 .../eu/webeid/example/WebApplicationTest.java |  2 +-
 .../WebEidAjaxLoginProcessingFilterTest.java  | 22 +++++++++++++++++++
 .../security/WebEidAuthenticationTest.java    | 22 +++++++++++++++++++
 .../eu/webeid/example/testutil/Dates.java     |  2 +-
 .../webeid/example/testutil/HttpHelper.java   |  2 +-
 .../webeid/example/testutil/ObjectMother.java |  2 +-
 31 files changed, 73 insertions(+), 29 deletions(-)

diff --git a/example/src/main/java/eu/webeid/example/WebEidSpringbootExampleApplication.java b/example/src/main/java/eu/webeid/example/WebEidSpringbootExampleApplication.java
index f82bac0..5fe5195 100644
--- a/example/src/main/java/eu/webeid/example/WebEidSpringbootExampleApplication.java
+++ b/example/src/main/java/eu/webeid/example/WebEidSpringbootExampleApplication.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2024 Estonian Information System Authority
+ * Copyright (c) 2020-2025 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java b/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java
index d93c942..1728628 100644
--- a/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java
+++ b/example/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2024 Estonian Information System Authority
+ * Copyright (c) 2020-2025 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/config/SameSiteCookieConfiguration.java b/example/src/main/java/eu/webeid/example/config/SameSiteCookieConfiguration.java
index 7940165..7460252 100644
--- a/example/src/main/java/eu/webeid/example/config/SameSiteCookieConfiguration.java
+++ b/example/src/main/java/eu/webeid/example/config/SameSiteCookieConfiguration.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2024 Estonian Information System Authority
+ * Copyright (c) 2020-2025 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/config/SessionBackedChallengeNonceStore.java b/example/src/main/java/eu/webeid/example/config/SessionBackedChallengeNonceStore.java
index cb4654d..2d57e1f 100644
--- a/example/src/main/java/eu/webeid/example/config/SessionBackedChallengeNonceStore.java
+++ b/example/src/main/java/eu/webeid/example/config/SessionBackedChallengeNonceStore.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2024 Estonian Information System Authority
+ * Copyright (c) 2020-2025 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/config/ValidationConfiguration.java b/example/src/main/java/eu/webeid/example/config/ValidationConfiguration.java
index dbe21ee..3e36793 100644
--- a/example/src/main/java/eu/webeid/example/config/ValidationConfiguration.java
+++ b/example/src/main/java/eu/webeid/example/config/ValidationConfiguration.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2024 Estonian Information System Authority
+ * Copyright (c) 2020-2025 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/config/YAMLConfig.java b/example/src/main/java/eu/webeid/example/config/YAMLConfig.java
index 35905f0..234a856 100644
--- a/example/src/main/java/eu/webeid/example/config/YAMLConfig.java
+++ b/example/src/main/java/eu/webeid/example/config/YAMLConfig.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2024 Estonian Information System Authority
+ * Copyright (c) 2020-2025 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/security/AuthTokenDTOAuthenticationProvider.java b/example/src/main/java/eu/webeid/example/security/AuthTokenDTOAuthenticationProvider.java
index 9965ff3..274a47b 100644
--- a/example/src/main/java/eu/webeid/example/security/AuthTokenDTOAuthenticationProvider.java
+++ b/example/src/main/java/eu/webeid/example/security/AuthTokenDTOAuthenticationProvider.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2024 Estonian Information System Authority
+ * Copyright (c) 2020-2025 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java b/example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java
index cc47f86..4782ee9 100644
--- a/example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java
+++ b/example/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2024 Estonian Information System Authority
+ * Copyright (c) 2020-2025 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java b/example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java
index c039007..5ba3ebf 100644
--- a/example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java
+++ b/example/src/main/java/eu/webeid/example/security/WebEidAuthentication.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2024 Estonian Information System Authority
+ * Copyright (c) 2020-2025 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationFailureHandler.java b/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationFailureHandler.java
index 647698f..1bec05f 100644
--- a/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationFailureHandler.java
+++ b/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationFailureHandler.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2024 Estonian Information System Authority
+ * Copyright (c) 2020-2025 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationSuccessHandler.java b/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationSuccessHandler.java
index b545422..a5ea20d 100644
--- a/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationSuccessHandler.java
+++ b/example/src/main/java/eu/webeid/example/security/ajax/AjaxAuthenticationSuccessHandler.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2024 Estonian Information System Authority
+ * Copyright (c) 2020-2025 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/security/dto/AuthTokenDTO.java b/example/src/main/java/eu/webeid/example/security/dto/AuthTokenDTO.java
index 9321c4c..73a70a4 100644
--- a/example/src/main/java/eu/webeid/example/security/dto/AuthTokenDTO.java
+++ b/example/src/main/java/eu/webeid/example/security/dto/AuthTokenDTO.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2024 Estonian Information System Authority
+ * Copyright (c) 2020-2025 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/service/SigningService.java b/example/src/main/java/eu/webeid/example/service/SigningService.java
index 507b4b3..ddb3bd2 100644
--- a/example/src/main/java/eu/webeid/example/service/SigningService.java
+++ b/example/src/main/java/eu/webeid/example/service/SigningService.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2024 Estonian Information System Authority
+ * Copyright (c) 2020-2025 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/service/dto/CertificateDTO.java b/example/src/main/java/eu/webeid/example/service/dto/CertificateDTO.java
index 6050c85..7704d01 100644
--- a/example/src/main/java/eu/webeid/example/service/dto/CertificateDTO.java
+++ b/example/src/main/java/eu/webeid/example/service/dto/CertificateDTO.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2024 Estonian Information System Authority
+ * Copyright (c) 2020-2025 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/service/dto/ChallengeDTO.java b/example/src/main/java/eu/webeid/example/service/dto/ChallengeDTO.java
index dd95d42..4a6b9c9 100644
--- a/example/src/main/java/eu/webeid/example/service/dto/ChallengeDTO.java
+++ b/example/src/main/java/eu/webeid/example/service/dto/ChallengeDTO.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2024 Estonian Information System Authority
+ * Copyright (c) 2020-2025 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/service/dto/DigestDTO.java b/example/src/main/java/eu/webeid/example/service/dto/DigestDTO.java
index 4e56d36..c567d70 100644
--- a/example/src/main/java/eu/webeid/example/service/dto/DigestDTO.java
+++ b/example/src/main/java/eu/webeid/example/service/dto/DigestDTO.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2024 Estonian Information System Authority
+ * Copyright (c) 2020-2025 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/service/dto/FileDTO.java b/example/src/main/java/eu/webeid/example/service/dto/FileDTO.java
index 3a65edc..949b358 100644
--- a/example/src/main/java/eu/webeid/example/service/dto/FileDTO.java
+++ b/example/src/main/java/eu/webeid/example/service/dto/FileDTO.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2024 Estonian Information System Authority
+ * Copyright (c) 2020-2025 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/service/dto/SignatureAlgorithmDTO.java b/example/src/main/java/eu/webeid/example/service/dto/SignatureAlgorithmDTO.java
index bef5ba4..287682f 100644
--- a/example/src/main/java/eu/webeid/example/service/dto/SignatureAlgorithmDTO.java
+++ b/example/src/main/java/eu/webeid/example/service/dto/SignatureAlgorithmDTO.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2024 Estonian Information System Authority
+ * Copyright (c) 2020-2025 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/service/dto/SignatureDTO.java b/example/src/main/java/eu/webeid/example/service/dto/SignatureDTO.java
index 68742fc..68ffd3b 100644
--- a/example/src/main/java/eu/webeid/example/service/dto/SignatureDTO.java
+++ b/example/src/main/java/eu/webeid/example/service/dto/SignatureDTO.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2024 Estonian Information System Authority
+ * Copyright (c) 2020-2025 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/web/IndexController.java b/example/src/main/java/eu/webeid/example/web/IndexController.java
index e464a50..6da1b71 100644
--- a/example/src/main/java/eu/webeid/example/web/IndexController.java
+++ b/example/src/main/java/eu/webeid/example/web/IndexController.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2024 Estonian Information System Authority
+ * Copyright (c) 2020-2025 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/web/WelcomeController.java b/example/src/main/java/eu/webeid/example/web/WelcomeController.java
index 0db6fc7..bba34c2 100644
--- a/example/src/main/java/eu/webeid/example/web/WelcomeController.java
+++ b/example/src/main/java/eu/webeid/example/web/WelcomeController.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2024 Estonian Information System Authority
+ * Copyright (c) 2020-2025 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/web/rest/ChallengeController.java b/example/src/main/java/eu/webeid/example/web/rest/ChallengeController.java
index ecc3ee4..df54366 100644
--- a/example/src/main/java/eu/webeid/example/web/rest/ChallengeController.java
+++ b/example/src/main/java/eu/webeid/example/web/rest/ChallengeController.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2024 Estonian Information System Authority
+ * Copyright (c) 2020-2025 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/java/eu/webeid/example/web/rest/SigningController.java b/example/src/main/java/eu/webeid/example/web/rest/SigningController.java
index 4f935be..2a1c652 100644
--- a/example/src/main/java/eu/webeid/example/web/rest/SigningController.java
+++ b/example/src/main/java/eu/webeid/example/web/rest/SigningController.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2024 Estonian Information System Authority
+ * Copyright (c) 2020-2025 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/main/resources/static/js/errors.js b/example/src/main/resources/static/js/errors.js
index 95220bb..7f42d5f 100644
--- a/example/src/main/resources/static/js/errors.js
+++ b/example/src/main/resources/static/js/errors.js
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2024 Estonian Information System Authority
+ * Copyright (c) 2020-2025 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/test/java/eu/webeid/example/AuthenticationRestControllerTest.java b/example/src/test/java/eu/webeid/example/AuthenticationRestControllerTest.java
index aa6f5df..ec5345a 100644
--- a/example/src/test/java/eu/webeid/example/AuthenticationRestControllerTest.java
+++ b/example/src/test/java/eu/webeid/example/AuthenticationRestControllerTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2024 Estonian Information System Authority
+ * Copyright (c) 2020-2025 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/test/java/eu/webeid/example/WebApplicationTest.java b/example/src/test/java/eu/webeid/example/WebApplicationTest.java
index e28e8fa..f7f5a3d 100644
--- a/example/src/test/java/eu/webeid/example/WebApplicationTest.java
+++ b/example/src/test/java/eu/webeid/example/WebApplicationTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2024 Estonian Information System Authority
+ * Copyright (c) 2020-2025 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/test/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilterTest.java b/example/src/test/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilterTest.java
index cb95073..828399b 100644
--- a/example/src/test/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilterTest.java
+++ b/example/src/test/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilterTest.java
@@ -1,3 +1,25 @@
+/*
+ * Copyright (c) 2020-2025 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
 package eu.webeid.example.security;
 
 import jakarta.servlet.http.HttpServletRequest;
diff --git a/example/src/test/java/eu/webeid/example/security/WebEidAuthenticationTest.java b/example/src/test/java/eu/webeid/example/security/WebEidAuthenticationTest.java
index 630cf49..1da776b 100644
--- a/example/src/test/java/eu/webeid/example/security/WebEidAuthenticationTest.java
+++ b/example/src/test/java/eu/webeid/example/security/WebEidAuthenticationTest.java
@@ -1,3 +1,25 @@
+/*
+ * Copyright (c) 2020-2025 Estonian Information System Authority
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
 package eu.webeid.example.security;
 
 import eu.webeid.security.certificate.CertificateLoader;
diff --git a/example/src/test/java/eu/webeid/example/testutil/Dates.java b/example/src/test/java/eu/webeid/example/testutil/Dates.java
index c44118d..3f5f76a 100644
--- a/example/src/test/java/eu/webeid/example/testutil/Dates.java
+++ b/example/src/test/java/eu/webeid/example/testutil/Dates.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2024 Estonian Information System Authority
+ * Copyright (c) 2020-2025 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/test/java/eu/webeid/example/testutil/HttpHelper.java b/example/src/test/java/eu/webeid/example/testutil/HttpHelper.java
index fec2621..9c8b0dc 100644
--- a/example/src/test/java/eu/webeid/example/testutil/HttpHelper.java
+++ b/example/src/test/java/eu/webeid/example/testutil/HttpHelper.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2024 Estonian Information System Authority
+ * Copyright (c) 2020-2025 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal
diff --git a/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java b/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java
index f6103d5..288b136 100644
--- a/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java
+++ b/example/src/test/java/eu/webeid/example/testutil/ObjectMother.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2024 Estonian Information System Authority
+ * Copyright (c) 2020-2025 Estonian Information System Authority
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy
  * of this software and associated documentation files (the "Software"), to deal

From f54db1b226295069876434aac7d91068e6a219ff Mon Sep 17 00:00:00 2001
From: Mart Somermaa <mrts@users.noreply.github.com>
Date: Fri, 21 Mar 2025 15:38:26 +0200
Subject: [PATCH 114/116] Bump version to 3.1.1, update dependencies

WE2-1072

Signed-off-by: Mart Somermaa <mrts@users.noreply.github.com>
---
 example/docker-compose.yml |  2 +-
 example/pom.xml            | 12 ++++++------
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/example/docker-compose.yml b/example/docker-compose.yml
index 239d19a..2303e15 100644
--- a/example/docker-compose.yml
+++ b/example/docker-compose.yml
@@ -1,7 +1,7 @@
 version: '2'
 services:
   web-eid-springboot-example:
-    image: web-eid-springboot-example:3.1.0
+    image: web-eid-springboot-example:3.1.1
     restart: always
     environment:
       JAVA_TOOL_OPTIONS: '-Dspring.profiles.active=prod'
diff --git a/example/pom.xml b/example/pom.xml
index 10264a7..3d8f5f7 100644
--- a/example/pom.xml
+++ b/example/pom.xml
@@ -5,12 +5,12 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>3.3.4</version>
+		<version>3.4.4</version>
 		<relativePath/> <!-- lookup parent from repository -->
 	</parent>
 	<groupId>eu.webeid.example</groupId>
 	<artifactId>web-eid-springboot-example</artifactId>
-	<version>3.1.0</version>
+	<version>3.1.1</version>
 	<name>web-eid-springboot-example</name>
 	<description>Example Spring Boot application that demonstrates how to use Web eID for authentication and digital
 		signing
@@ -18,11 +18,11 @@
 
 	<properties>
 		<java.version>17</java.version>
-		<maven-surefire-plugin.version>3.2.5</maven-surefire-plugin.version>
-		<webeid.version>3.1.0</webeid.version>
-		<digidoc4j.version>5.3.1</digidoc4j.version>
+		<maven-surefire-plugin.version>3.5.2</maven-surefire-plugin.version>
+		<webeid.version>3.1.1</webeid.version>
+		<digidoc4j.version>6.0.0</digidoc4j.version>
 		<jmockit.version>1.44</jmockit.version>
-		<jib.version>3.4.2</jib.version>
+		<jib.version>3.4.5</jib.version>
 	</properties>
 
 	<dependencies>

From a945f5bfd1deb447cb0191b7dd76fb84ff403aa4 Mon Sep 17 00:00:00 2001
From: Sven Mitt <svenzik@users.noreply.github.com>
Date: Tue, 6 May 2025 14:05:43 +0300
Subject: [PATCH 115/116] Update README.md

WE2-932

Signed-off-by: Sven Mitt <svenzik@users.noreply.github.com>
---
 README.md | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 1d470f2..fa6b102 100644
--- a/README.md
+++ b/README.md
@@ -14,7 +14,8 @@ A Java web application that uses Maven or Gradle to manage packages is needed fo
 
 In the following example we are using the [Spring Framework](https://spring.io/), but the examples can be easily ported to other Java web application frameworks.
 
-See the full example [here](https://github.com/web-eid/web-eid-spring-boot-example).
+## Full example project using the validation library in spring-boot
+[example/README.md](example/README.md)
 
 ## 1. Add the library to your project
 
@@ -98,7 +99,7 @@ import eu.webeid.security.challenge.ChallengeNonceStore;
 
 ## 4. Add trusted certificate authority certificates
 
-You must explicitly specify which **intermediate** certificate authorities (CAs) are trusted to issue the eID authentication and OCSP responder certificates. CA certificates can be loaded from either the truststore file, resources or any stream source. We use the [`CertificateLoader`](https://github.com/web-eid/web-eid-authtoken-validation-java/blob/main/src/main/java/eu/webeid/security/certificate/CertificateLoader.java) helper class to load CA certificates from resources here, but consider using [the truststore file](https://github.com/web-eid/web-eid-spring-boot-example/blob/main/src/main/java/eu/webeid/example/config/ValidationConfiguration.java#L104-L123) instead.
+You must explicitly specify which **intermediate** certificate authorities (CAs) are trusted to issue the eID authentication and OCSP responder certificates. CA certificates can be loaded from either the truststore file, resources or any stream source. We use the [`CertificateLoader`](https://github.com/web-eid/web-eid-authtoken-validation-java/blob/main/src/main/java/eu/webeid/security/certificate/CertificateLoader.java) helper class to load CA certificates from resources here, but consider using [the truststore file](./blob/example/main/src/main/java/eu/webeid/example/config/ValidationConfiguration.java#L104-L123) instead.
 
 First, copy the trusted certificates, for example `ESTEID2018.cer`, to `resources/cacerts/`, then load the certificates as follows:
 
@@ -171,11 +172,11 @@ Authentication consists of calling the `validate()` method of the authentication
 
 When using [Spring Security](https://spring.io/guides/topicals/spring-security-architecture) with standard cookie-based authentication,
 
-- implement a custom authentication provider that uses the authentication token validator for authentication as shown [here](https://github.com/web-eid/web-eid-spring-boot-example/blob/main/src/main/java/eu/webeid/example/security/AuthTokenDTOAuthenticationProvider.java),
-- implement an AJAX authentication processing filter that extracts the authentication token and passes it to the authentication manager as shown [here](https://github.com/web-eid/web-eid-spring-boot-example/blob/main/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java),
+- implement a custom authentication provider that uses the authentication token validator for authentication as shown [here](example/blob/main/src/main/java/eu/webeid/example/security/AuthTokenDTOAuthenticationProvider.java),
+- implement an AJAX authentication processing filter that extracts the authentication token and passes it to the authentication manager as shown [here](example/blob/main/src/main/java/eu/webeid/example/security/WebEidAjaxLoginProcessingFilter.java),
 - configure the authentication provider and authentication processing filter in the application configuration as shown [here](https://github.com/web-eid/web-eid-spring-boot-example/blob/main/src/main/java/eu/webeid/example/config/ApplicationConfiguration.java).
 
-The gist of the validation is [in the `authenticate()` method](https://github.com/web-eid/web-eid-spring-boot-example/blob/main/src/main/java/eu/webeid/example/security/AuthTokenDTOAuthenticationProvider.java#L74-L76) of the authentication provider:
+The gist of the validation is [in the `authenticate()` method](example/blob/main/src/main/java/eu/webeid/example/security/AuthTokenDTOAuthenticationProvider.java#L74-L76) of the authentication provider:
 
 ```java
 try {

From a13c5ca6de544c5ba34e9c2427c9ad61350c7433 Mon Sep 17 00:00:00 2001
From: Sven Mitt <svenzik@users.noreply.github.com>
Date: Tue, 6 May 2025 14:06:44 +0300
Subject: [PATCH 116/116] Move example project workflow to parent, add build
 scripts and sonar

WE2-932

Signed-off-by: Sven Mitt <svenzik@users.noreply.github.com>
---
 .../workflows/maven-build-example.yml           | 17 +++++++++++++++--
 .github/workflows/maven-build.yml               | 10 +++++++++-
 .github/workflows/sonarcloud-analysis.yml       | 10 +++++++++-
 3 files changed, 33 insertions(+), 4 deletions(-)
 rename example/.github/workflows/maven-build.yml => .github/workflows/maven-build-example.yml (71%)

diff --git a/example/.github/workflows/maven-build.yml b/.github/workflows/maven-build-example.yml
similarity index 71%
rename from example/.github/workflows/maven-build.yml
rename to .github/workflows/maven-build-example.yml
index 14becab..3893cbd 100644
--- a/example/.github/workflows/maven-build.yml
+++ b/.github/workflows/maven-build-example.yml
@@ -1,6 +1,18 @@
-name: Maven build
+name: Maven build example
 
-on: [ push, pull_request ]
+on:
+  push:
+    paths:
+      - 'example/**'
+      - '.github/workflows/*example*'
+  pull_request:
+    paths:
+      - 'example/**'
+      - '.github/workflows/*example*'
+
+defaults:
+  run:
+    working-directory: ./example
 
 jobs:
   build:
@@ -26,3 +38,4 @@ jobs:
 
       - name: Test and package
         run: mvn --batch-mode package
+
diff --git a/.github/workflows/maven-build.yml b/.github/workflows/maven-build.yml
index 7d17dea..7b13b8f 100644
--- a/.github/workflows/maven-build.yml
+++ b/.github/workflows/maven-build.yml
@@ -1,6 +1,14 @@
 name: Maven build
 
-on: [ push, pull_request ]
+on:
+  push:
+    paths-ignore:
+      - 'example/**'
+      - '.github/workflows/*example*'
+  pull_request:
+    paths-ignore:
+      - 'example/**'
+      - '.github/workflows/*example*'
 
 jobs:
   build:
diff --git a/.github/workflows/sonarcloud-analysis.yml b/.github/workflows/sonarcloud-analysis.yml
index 2ed0c3a..0755bcc 100644
--- a/.github/workflows/sonarcloud-analysis.yml
+++ b/.github/workflows/sonarcloud-analysis.yml
@@ -1,6 +1,14 @@
 name: SonarCloud code analysis
 
-on: [push, pull_request]
+on:
+  push:
+    paths-ignore:
+      - 'example/**'
+      - '.github/workflows/*example*'
+  pull_request:
+    paths-ignore:
+      - 'example/**'
+      - '.github/workflows/*example*'
 
 jobs:
   analyze: